The government says swift action has been taken to protect data and the tax agency's online services are currently suspended
In increasingly risky times for online data security, the Canada Revenue Agency is the latest high-profile organization to be targeted.
The federal government said Sunday that the tax agency has suffered an attack which has compromised the personal information of around 5,500 taxpayers.
The cybercriminals used a technique called “credential stuffing” where stolen usernames and passwords from previous data breaches on other sites are assumed to be valid.
Because so many people use the same username and password combinations on multiple sites, this cyberattack method frequently bares fruit.
As well as the credential stuffing incident, CRA accounts were also accessed as part of a wider attack on the federal government’s secure access system GCKey, which allows access to 30 government services and 9,041 user account names and passwords were obtained in the attack and around a third were used to access services.
The affected GCKey accounts were suspended and the government is contacting those that were affected. If you have immediate concerns, you can call 1-800-O-Canada.
The government says it’s continuing its investigation, as is the RCMP to determine if there have been any privacy breaches and if information was obtained from these accounts and the Office of the Privacy Commissioner has been contacted and alerted to possible breaches.
Fraudulent applications
Along with official communications about the cyber incidents, a report from BNN Bloomberg reveals the risk to individuals.
Kitchener resident Leah Baverstock says that her CRA account was hacked earlier this month and a fraudulent application was made for the Canada Emergency Response Benefit (CERB).
“I am quite concerned,” she told BNN Bloomberg. “Somebody could be leaving under my name. Who knows. It's scary. It's really scary.”
Baverstock says that she was told by someone at the CRA that this was a one-off incident and that she would be contacted by someone for further assistance. She says she is still waiting more than a week later.
1/5 The GC has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA. pic.twitter.com/KZhvFKFQot
— Digital Government (@DigitalCDN) August 15, 2020