Thousands of Canadians affected by recent cyberattacks on the Canada Revenue Agency and federal government computer systems could be vulnerable to other attacks, warn cybersecurity and privacy experts.
“They have to be very scared if they have another account with the same password,” said Ali Ghorbani, director of the Canadian Institute for Cybersecurity at the University of New Brunswick. “If it doesn’t happen now, it would happen tomorrow.”
Former Ontario privacy commissioner Ann Cavoukian said the risk to those whose accounts were breached shouldn’t be underestimated.
“I don’t think you can exaggerate the risk,” said Cavoukian who is now executive director of the Global Privacy and Security by Design Centre.
“If your information has been compromised then it is in the hands of hackers who could use it for a variety of unintended purposes that you may not be made aware of. It’s the CRA, it’s your financial data and it’s very sensitive information.”
CRA response to hacking
The advice comes after the federal government admitted Monday that hackers accessed the Canada Revenue Agency or GCKey accounts of an estimated 11,200 Canadians in recent days. GCKey is an online portal that allows Canadians to access government services like employment insurance and veterans benefits.
The hackers were able to do things like change bank account information and apply for government benefits, posing as the owner of the account.
The Canada Revenue Agency said Monday it is sending a letter to everyone whose account was hacked. However, in the time it takes for someone to get that letter, those same credentials could be used to strike again if someone has used the same e-mail and password combination for other accounts, said Ghorbani.
The University of New Brunswick’s Dr. Ali Ghorbani, director of the Canadian Institute for Cybersecurity, says Canadians who have had their personal information hacked should immediately change their passwords for other accounts. (University of New Brunswick)
Ghorbani said there’s not much Canadians can do about information that has already been compromised — but they can and should change their passwords.
“If I am one of those people, I would basically change all of my passwords across all of the accounts that I have. And this time I would make sure that these passwords are unique and different from each other.
‘Credential stuffing’
Marc Brouillard, acting chief information officer with the Treasury Board, said the hacking technique, known as “credential stuffing” used e-mail addresses and passwords that had already been compromised.
“The citizens who are worried about identity theft, they already are, they already have been victims,” Brouillard told reporters during a news conference Monday. “The credentials were stolen at some point in the past and these attackers are re-using them.”
Acting chief information officer for the Treasury Board Marc Brouillard explains how a “credential stuffing” cyber attack works. 1:30
Using the same password for their CRA account that they used for the account that was compromised allowed hackers to get in, he explained.
“If you have been a victim here, there’s a good chance that you are a victim elsewhere as well. Check your bank accounts, check your social media, check your e-commerce systems because the attackers will use those wherever they can and they have quite sophisticated systems.”
Ghorbani, whose research focuses on the human element in cybersecurity, said when it comes to cyberattacks it’s not a matter of if but of when.
“Attacks on government or industry will happen regardless because the bad guys are always on the move, finding new ways, new holes to breach and compromise.”
Dark web accounts
Ghorbani said there are an estimated 5 billion compromised accounts out there in the dark web for hackers to use or buy. The dark web is not visible to regular search engines and has a reputation of being a place where you can buy or sell everything from drugs and weapons to stolen data.
“It’s just basically a simple program where they try to log in to millions of accounts using this database information to see which one actually goes through.”
For example, in April the popular videoconferencing platform Zoom was compromised and half a million users credentials ended up on the dark web.
“If I’m a user of Zoom and I’m also using the same password for my CRA account or my bank account, I’m very much at risk now and I’m lucky if I’m not compromised because my information is out there,” said Ghorbani.
Ghorbani said the attacks could have come from anywhere but he suspects they came from outside Canada.
Canadian government officials refused repeatedly Monday to comment on the possible source of the attacks, saying it is under investigation by the RCMP.
Ann Cavoukian, the former privacy commissioner of Ontario, says the federal government should be increasing the security of its websites – not blaming Canadians who re-use passwords for the breach. (Joe Fiorino/CBC)
Cavoukian said the federal government shouldn’t be blaming those whose data was breached for re-using passwords. Instead, she said, it should have had better protection of its sites.
Canadians who want to know if their accounts were breached should be able to phone or e-mail the government rather than have to wait for a letter, Cavoukian said.
Cavoukian also called on Prime Minister Justin Trudeau to act.
“Someone has to take some responsibility in terms of how this is going to be fixed and, more importantly, how are they going to prevent this from happening in the future. They have to start employing strong encryption. I don’t think they are doing that now.”
Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca
MONTREAL – Travel company Transat AT Inc. reported a loss in its latest quarter compared with a profit a year earlier as its revenue edged lower.
The parent company of Air Transat says it lost $39.9 million or $1.03 per diluted share in its quarter ended July 31.
The result compared with a profit of $57.3 million or $1.49 per diluted share a year earlier.
Revenue in what was the company’s third quarter totalled $736.2 million, down from $746.3 million in the same quarter last year.
On an adjusted basis, Transat says it lost $1.10 per share in its latest quarter compared with an adjusted profit of $1.10 per share a year earlier.
Transat chief executive Annick Guérard says demand for leisure travel remains healthy, as evidenced by higher traffic, but consumers are increasingly price conscious given the current economic uncertainty.
This report by The Canadian Press was first published Sept. 12, 2024.
Dollarama Inc.’s food aisles may have expanded far beyond sweet treats or piles of gum by the checkout counter in recent years, but its chief executive maintains his company is “not in the grocery business,” even if it’s keeping an eye on the sector.
“It’s just one small part of our store,” Neil Rossy told analysts on a Wednesday call, where he was questioned about the company’s food merchandise and rivals playing in the same space.
“We will keep an eye on all retailers — like all retailers keep an eye on us — to make sure that we’re competitive and we understand what’s out there.”
Over the last decade and as consumers have more recently sought deals, Dollarama’s food merchandise has expanded to include bread and pantry staples like cereal, rice and pasta sold at prices on par or below supermarkets.
However, the competition in the discount segment of the market Dollarama operates in intensified recently when the country’s biggest grocery chain began piloting a new ultra-discount store.
The No Name stores being tested by Loblaw Cos. Ltd. in Windsor, St. Catharines and Brockville, Ont., are billed as 20 per cent cheaper than discount retail competitors including No Frills. The grocery giant is able to offer such cost savings by relying on a smaller store footprint, fewer chilled products and a hearty range of No Name merchandise.
Though Rossy brushed off notions that his company is a supermarket challenger, grocers aren’t off his radar.
“All retailers in Canada are realistic about the fact that everyone is everyone’s competition on any given item or category,” he said.
Rossy declined to reveal how much of the chain’s sales would overlap with Loblaw or the food category, arguing the vast variety of items Dollarama sells is its strength rather than its grocery products alone.
“What makes Dollarama Dollarama is a very wide assortment of different departments that somewhat represent the old five-and-dime local convenience store,” he said.
The breadth of Dollarama’s offerings helped carry the company to a second-quarter profit of $285.9 million, up from $245.8 million in the same quarter last year as its sales rose 7.4 per cent.
The retailer said Wednesday the profit amounted to $1.02 per diluted share for the 13-week period ended July 28, up from 86 cents per diluted share a year earlier.
The period the quarter covers includes the start of summer, when Rossy said the weather was “terrible.”
“The weather got slightly better towards the end of the summer and our sales certainly increased, but not enough to make up for the season’s horrible start,” he said.
Sales totalled $1.56 billion for the quarter, up from $1.46 billion in the same quarter last year.
Comparable store sales, a key metric for retailers, increased 4.7 per cent, while the average transaction was down2.2 per cent and traffic was up seven per cent, RBC analyst Irene Nattel pointed out.
She told investors in a note that the numbers reflect “solid demand as cautious consumers focus on core consumables and everyday essentials.”
Analysts have attributed such behaviour to interest rates that have been slow to drop and high prices of key consumer goods, which are weighing on household budgets.
To cope, many Canadians have spent more time seeking deals, trading down to more affordable brands and forgoing small luxuries they would treat themselves to in better economic times.
“When people feel squeezed, they tend to shy away from discretionary, focus on the basics,” Rossy said. “When people are feeling good about their wallet, they tend to be more lax about the basics and more willing to spend on discretionary.”
The current economic situation has drawn in not just the average Canadian looking to save a buck or two, but also wealthier consumers.
“When the entire economy is feeling slightly squeezed, we get more consumers who might not have to or want to shop at a Dollarama generally or who enjoy shopping at a Dollarama but have the luxury of not having to worry about the price in some other store that they happen to be standing in that has those goods,” Rossy said.
“Well, when times are tougher, they’ll consider the extra five minutes to go to the store next door.”
This report by The Canadian Press was first published Sept. 11, 2024.
TORONTO – The U.S. Consumer Financial Protection Bureau has ordered TD Bank Group to pay US$28 million for repeatedly sharing inaccurate, negative information about its customers to consumer reporting companies.
The agency says TD has to pay US$7.76 million in total to tens of thousands of victims of its illegal actions, along with a US$20 million civil penalty.
It says TD shared information that contained systemic errors about credit card and bank deposit accounts to consumer reporting companies, which can include credit reports as well as screening reports for tenants and employees and other background checks.
CFPB director Rohit Chopra says in a statement that TD threatened the consumer reports of customers with fraudulent information then “barely lifted a finger to fix it,” and that regulators will need to “focus major attention” on TD Bank to change its course.
TD says in a statement it self-identified these issues and proactively worked to improve its practices, and that it is committed to delivering on its responsibilities to its customers.
The bank also faces scrutiny in the U.S. over its anti-money laundering program where it expects to pay more than US$3 billion in monetary penalties to resolve.
This report by The Canadian Press was first published Sept. 11, 2024.
