According to federal officials, there was a breach of thousands of Canadians’ online Canada Revenue Agency accounts after series of cyber-attacks leveled against the Government of Canada exploited an internal “vulnerability” and leveraged earlier hacked login details. The Canada Revenue Agency temporarily closed its services over the weekend after hackers used thousands of stolen usernames and passwords to access government services fraudulently.
On Monday, officials confirmed that around 11,200 accounts for Government of Canada services were compromised in the attacks. Officials added that some accounts are being monitored for suspicious behavior, and one-third of accounts were used for logging into government services. They comprised of CRA accounts together with “GCKey” accounts, which are used by 30 government departments and agencies to gain access to other online portals.
The officials said that there were more than 5,600 CRA accounts and 9,000 affected “GCKey” accounts. Marc Brouillard, the acting chief information officer for the Government of Canada, indicated that the bad actors were able to use the previously hacked credentials to access the CRA portal. He added that they bypassed the CRA security questions and gained access to a user’s CRA account after exploiting a vulnerability in the configuration of security software solutions. He also said that the vulnerability was patched, and the risk of this attack vector has been solved.
On Aug. 7, government officials stated that they first became aware of security issues and contacted the RCMP on Aug. 11.
However, it was until further attacks were executed that Canadians were informed. The CRA defended itself for not notifying Canadians earlier. They stated that plans needed to be made internally to notify people and help regain access to their breached accounts. The cyberattacks applied “credential stuffing” schemes, where batches of stolen passwords and usernames from other websites are tested using automated bots to try to access users’ other online accounts. This was possible as many Canadians reuse passwords and usernames across many online accounts.
At this time, Canadians and Canadian businesses are still relying on COVID-19 emergency federal aid programs to stay financially afloat, but now there is a temporary online shutdown. To allow employers to access their accounts, the CRA was able to re-launch its business portal. Companies may start applying for the revamped federal wage subsidy program on Monday. By Wednesday, it is expected that the remaining online services will be back and running. Annette Butikofer, the CRA’s chief information officer, stated that they are also executing additional controls, and they expect to have them in place by Wednesday.