Cyberattacks targeting CRA, Canadians’ COVID-19 benefits have been brought under control: officials

Total of 11,200 Canada Revenue Agency and GCKey accounts affected by series of attacks. Fraudsters exploited a security vulnerability in the Government of Canada website and took advantage of login credentials exposed through previous hacks to conduct a series of cyberattacks that compromised the personal information of thousands of Canadians, federal officials say.

As first reported by CBC News, the attacks targeted the Canada Revenue Agency (CRA) and GCKey, a secure online portal that allows Canadians to access services such as employment insurance, veterans’ benefits and immigration applications. The attacks come at a time when millions of Canadians have been relying on the CRA’s website to apply for and access COVID-19 emergency benefits.

Acting chief information officer for the Treasury Board of Canada Secretariat Marc Brouillard said the attacks were a form of “credential stuffing,” where hackers fraudulently obtain usernames and passwords to accounts on other websites, and take advantage of the fact that many people use the same password for different accounts.

“The bad actors were able to use the previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability in the configuration of security software … which allowed them to bypass the CRA security questions and gain access to a user’s CRA account,” Brouillard said on Monday. “Because of the systems that we have in place, we were able to detect these attacks early on and have been largely been able to mitigate the impact to Canadians.”

A total of 11,200 accounts were impacted in the attacks, Brouillard said, including more than 9,000 GCKey accounts and another 5,600 CRA accounts, although almost half the CRA accounts were linked to the GCKey hack.

Brouillard said the affected accounts were cancelled as soon as the threat was discovered, and departments are contacting users whose credentials were compromised to provide instructions on how to receive a new GCKey.

CRA online services for individuals temporarily disabled

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB funds or other payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA stating that their email addresses had been discontinued.

Annette Butikofer, chief information officer at CRA, said the tax agency was impacted by three separate cybersecurity breaches. The agency became aware of the first breach on Aug. 7.

The agency contacted the RCMP on Aug. 11 and began to step up its own security measures, Butikofer said.

Canadians were only notified of the breach over the weekend when CRA temporarily became the target of another attack and decided to shut down its online platforms, cutting off access to services connected to My Account, My Business Account and Represent a Client.

Butikofer said My Business Account, which is used by employers, is back online with additional safety measures so employers can apply for the most recent round of the emergency wage subsidy.

She said CRA hopes to have its online services for individuals back up and running by mid-week. In the meantime, Canadians can still apply for COVID-19 benefit programs by calling 1-800-959-8281.

Anyone who becomes a victim of identity theft will be eligible for creditor protection and will be “made whole,” Butikofer said.