Following the two cyber-attacks where hackers used thousands of stolen usernames and passwords to obtain government services and compromise Canadians’ personal information fraudulently, the Canada Revenue Agency has temporarily suspended its online services. In what the federal government termed as two “credential stuffing” schemes, about 5,500 CRA accounts were hacked. The hackers used passwords and usernames from other websites to gain entry into Canadians’ accounts with the revenue agency.
Many Canadians and businesses were using the revenue agency’s website to apply for and access financial support associated with the COVID-19 pandemic before their verdict to suspend CRA’s online services. According to a senior government official, the government is hoping to reinstate online access for businesses on Monday. From that day, companies struggling because of the pandemic can begin applying for the latest round of federal wage subsidies. However, it wasn’t clear on the effect of the suspension to the services. It was also not clear what victims of the attack will do to get their accounts reinstated. They only said that letters would be mailed to those who have been affected.
One victim stated she had not heard anything from the government after her CRA account was hacked earlier this month and successfully applied for the $2,000-per-month Canada Emergency Response Benefit for COVID-19. Moreover, one law clerk stated that when she received several emails from CRA on Aug. 7 saying she had successfully applied for the CERB, she realized her account had been compromised and contacted the revenue agency herself. She also stated she later received a text indicating that a senior officer would be calling her within 24 hours because her account was completely locked down, but she is yet to hear anything.
The lawyer expressed frustration at the lack of contact. She also stated that to stop the hackers from using her information to commit more fraud, she contacted her bank and other financial institutions. She was worried that as part of a broader “credential stuffing” attack, many of the hacked CRA accounts targeted were more than 9,000 accounts that Canadians use to apply for and access federal services. The hacked accounts were associated with GCKey. The Treasury Board of Canada said in a statement that the attacks took advantage of the fact that many people reuse passwords and usernames across multiple accounts.
The Treasury Board stated that before all of the affected accounts were shut down, one-third of the accounts successfully accessed services. The federal privacy commissioner is trying to assess the scale and scope of personal information stolen.
Besides, they warned Canadians to monitor them for suspicious activity and to use unique passwords for all online accounts.
According to the Canadian Anti-Fraud Centre, more than 13,000 Canadians have been victims of fraud totalling $51 million this year.