A full-scale investigation by the RCMP and the Canadian Centre of Cyber Security has been launched into cyber attacks on federal government departments that compromised the personal information of thousands of Canadians, according to government officials who say the fraudulent access to government services has been brought under control.
On Saturday, the Canada Revenue Agency suspended its online services following what officials described as “credential stuffing” schemes.
The suspension comes as millions of Canadians and businesses use the CRA website to apply for and access financial support related to the COVID-19 pandemic.
Officials say they expect service to return to normal by Wednesday.
As first reported by CBC News, the attacks targeted CRA and GCKey, a secure online portal that is used by around 30 federal departments that allows Canadians to access services such as employment insurance, veterans’ benefits and immigration applications.
Annette Butikofer, chief information officer at CRA, said Monday at a hastily arranged news conference in Ottawa that the CRA was impacted by three separate cybersecurity incidents that may have allowed fraudsters to access the CRA My Account of 5,600 individuals.
The first attack occurred when hackers involved in the GCKey attack gained access to 3,400 CRA accounts.
A second attack took place last week where hackers took advantage of a vulnerability in the agency’s software that allowed them to bypass the normally-required security question and gain access to a user accounts.
The third attack took place over the weekend, causing CRA to temporarily cut off access to its online services on Sunday, including services connected to My Account, My Business Account and Represent a Client.
Acting chief information officer for the Treasury Board of Canada Secretariat Marc Brouillard confirmed the attacks were a form of “credential stuffing,” where hackers fraudulently obtain usernames and passwords to accounts on other websites, and take advantage of the fact that many people use the same password for different accounts.
“By using previously hacked usernames and passwords, the bad actors were able to fraudulently acquire approximately 9,000 of the roughly 12 million active [GCKey] accounts, a third of which accessed such services and are being further examined for suspicious activities,” Brouillard said.
WATCH | Thousands of CRA accounts hacked in cyberattack:
“The [Government of Canada] has worked around the clock to reduce the threat to Canadians affected … The credential stuffing attack on GC has ceased,” he said.
Brouillard said the affected accounts were cancelled as soon as the threat was discovered, and departments are contacting users whose credentials were compromised to provide instructions on how to receive a new GCKey.
The CRA’s announcement on Saturday that it was suspending online operations came after repeated inquiries from CBC News after CBC noticed a pattern of similar hacks occurring over the past two weeks.
Raisa Patel and Philip Ling of CBC New report that earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the Treasury Board of Canada said in a statement on Saturday.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million.
With files from CBC News (Raisa Patel, Philip Ling, Ryan Patrick Jones), The Canadian Press (Lee Berthiaume)