Victims of CRA hackers vulnerable to other cyberattacks: experts

Thousands of Canadians affected by recent attacks on the Canada Revenue Agency and federal government computer systems could be vulnerable to other attacks, warn cybersecurity and privacy experts.

Experts estimate there are five billion compromised accounts available to hackers on the dark web

A silhouetted man hunched over a computer with data illuminated in the background.
Hackers have accessed the CRA and GCKey accounts of thousands of Canadians in recent days. (Kacper Pempel/Reuters)

Thousands of Canadians affected by recent cyberattacks on the Canada Revenue Agency and federal government computer systems could be vulnerable to other attacks, warn cybersecurity and privacy experts.

"They have to be very scared if they have another account with the same password," said Ali Ghorbani, director of the Canadian Institute for Cybersecurity at the University of New Brunswick. "If it doesn't happen now, it would happen tomorrow."

Former Ontario privacy commissioner Ann Cavoukian said the risk to those whose accounts were breached shouldn't be underestimated.

"I don't think you can exaggerate the risk," said Cavoukian who is now executive director of the Global Privacy and Security by Design Centre.

"If your information has been compromised then it is in the hands of hackers who could use it for a variety of unintended purposes that you may not be made aware of. It's the CRA, it's your financial data and it's very sensitive information."

CRA response to hacking

The advice comes after the federal government admitted Monday that hackers accessed the Canada Revenue Agency or GCKey accounts of an estimated 11,200 Canadians in recent days. GCKey is an online portal that allows Canadians to access government services like employment insurance and veterans benefits. 

The hackers were able to do things like change bank account information and apply for government benefits, posing as the owner of the account.

The Canada Revenue Agency said Monday it is sending a letter to everyone whose account was hacked. However, in the time it takes for someone to get that letter, those same credentials could be used to strike again if someone has used the same e-mail and password combination for other accounts, said Ghorbani.

The University of New Brunswick's Dr. Ali Ghorbani, director of the Canadian Institute for Cybersecurity, says Canadians who have had their personal information hacked should immediately change their passwords for other accounts. (University of New Brunswick)

Ghorbani said there's not much Canadians can do about information that has already been compromised — but they can and should change their passwords.

"If I am one of those people, I would basically change all of my passwords across all of the accounts that I have. And this time I would make sure that these passwords are unique and different from each other.

'Credential stuffing'

Marc Brouillard, acting chief information officer with the Treasury Board, said the hacking technique, known as "credential stuffing" used e-mail addresses and passwords that had already been compromised.

"The citizens who are worried about identity theft, they already are, they already have been victims," Brouillard told reporters during a news conference Monday. "The credentials were stolen at some point in the past and these attackers are re-using them."

WATCH | Security official explains how a 'credential stuffing' cyberattack works:

Security official explains how "credential stuffing" works

3 years ago
Duration 1:30
Acting chief information officer for the Treasury Board Marc Brouillard explains how a "credential stuffing" cyber attack works.

Using the same password for their CRA account that they used for the account that was compromised allowed hackers to get in, he explained.

"If you have been a victim here, there's a good chance that you are a victim elsewhere as well. Check your bank accounts, check your social media, check your e-commerce systems because the attackers will use those wherever they can and they have quite sophisticated systems." 

Ghorbani, whose research focuses on the human element in cybersecurity, said when it comes to cyberattacks it's not a matter of if but of when.

"Attacks on government or industry will happen regardless because the bad guys are always on the move, finding new ways, new holes to breach and compromise."

Dark web accounts

Ghorbani said there are an estimated 5 billion compromised accounts out there in the dark web for hackers to use or buy. The dark web is not visible to regular search engines and has a reputation of being a place where you can buy or sell everything from drugs and weapons to stolen data. 

"It's just basically a simple program where they try to log in to millions of accounts using this database information to see which one actually goes through."

For example, in April the popular videoconferencing platform Zoom was compromised and half a million users' credentials ended up on the dark web.

"If I'm a user of Zoom and I'm also using the same password for my CRA account or my bank account, I'm very much at risk now and I'm lucky if I'm not compromised because my information is out there," said Ghorbani.

Ghorbani said the attacks could have come from anywhere but he suspects they came from outside Canada.

Canadian government officials refused repeatedly Monday to comment on the possible source of the attacks, saying it is under investigation by the RCMP.

A woman standing.
Ann Cavoukian, the former privacy commissioner of Ontario, says the federal government should be increasing the security of its websites - not blaming Canadians who re-use passwords for the breach. (Joe Fiorino/CBC)

Cavoukian said the federal government shouldn't be blaming those whose data was breached for re-using passwords. Instead, she said, it should have had better protection of its sites.

Canadians who want to know if their accounts were breached should be able to phone or e-mail the government rather than have to wait for a letter, Cavoukian said.

Cavoukian also called on Prime Minister Justin Trudeau to act.

"Someone has to take some responsibility in terms of how this is going to be fixed and, more importantly, how are they going to prevent this from happening in the future. They have to start employing strong encryption. I don't think they are doing that now."

Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca


Elizabeth Thompson

Senior reporter

Award-winning reporter Elizabeth Thompson covers Parliament Hill. A veteran of the Montreal Gazette, Sun Media and iPolitics, she currently works with the CBC's Ottawa bureau, specializing in investigative reporting and data journalism. She can be reached at: elizabeth.thompson@cbc.ca.