The federal government has revealed that the Canada Revenue Agency was recently hit by two cyberattacks, compromising thousands of accounts linked to the agency’s services.
The agency confirmed on Saturday that as of Aug. 14, about 5,500 accounts had been affected by the separate attacks but that the breaches are now contained. The CRA’s My Account, My Business Account and Represent a Client services were affected in the incidents.
“The CRA quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of the taxpayer’s information,” CRA spokesperson Christopher Doody wrote in an email.
“The CRA is continuing to analyze both incidents. Law enforcement assistance has been requested from RCMP and an investigation has been initiated.”
The admission came after repeated inquiries from CBC News after CBC noticed a pattern of similar hacks occurring over the past two weeks.
Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, their direct deposit information altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.
Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.
CRA Fraud Alert 1/n:<br>My wife woke up to multiple emails from Canada Revenue Agency saying she was going to receive a CERB payment and her Direct Deposit information was changed.<br><br>She had done none of these things…
—@chrisalecanada
Attacks based on reused usernames, passwords
The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer shared in a statement.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”
Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.
“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.
Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered.
1/5 The GC has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA. <a href=”https://t.co/KZhvFKFQot”>pic.twitter.com/KZhvFKFQot</a>
—@DigitalCDN
CERB fraud not uncommon
In an email sent to CBC News days before the CRA publicized the attacks, the agency said there is typically an uptick in fraudulent activity at the beginning of each CERB pay period. The most recent period started Aug. 2.
The Canadian Anti-Fraud Centre has already received more than 700 reports of identity fraud connected to the federal emergency response benefit. Resolving a fraud attempt can sometimes be a lengthy process for victims that can see them frozen out of receiving other benefits until their accounts are restored.
The CRA said it is sending letters to those affected by the attacks explaining how to confirm their identity to regain control of their accounts. Individuals phoning the agency for help can select the “report suspected fraud or identity theft” option to fast-track their call.
Canada’s cyber intelligence agency recommends that anyone affected by the breach update their passwords immediately and choose something they will not use for any other account.
