Fraudsters exploited a security vulnerability in the Government of Canada website and took advantage of login credentials exposed through previous hacks to conduct a series of cyberattacks that compromised the personal information of thousands of Canadians, federal officials say.
As first reported by CBC News, the attacks targeted the Canada Revenue Agency (CRA) and GCKey, a secure online portal that allows Canadians to access services such as employment insurance, veterans' benefits and immigration applications. The attacks come at a time when millions of Canadians have been relying on the CRA's website to apply for and access COVID-19 emergency benefits.
While the breaches have been contained, the schemes allowed hackers to fraudulently access government services and apply for or redirect payments to themselves.
Acting chief information officer for the Treasury Board of Canada Secretariat Marc Brouillard said at a technical briefing in Ottawa on Monday that the attacks were a form of "credential stuffing," where hackers fraudulently obtain usernames and passwords to accounts on other websites, and take advantage of the fact that many people use the same password for different accounts.
"The bad actors were able to use the previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability in the configuration of security software ... which allowed them to bypass the CRA security questions and gain access to a user's CRA account," Brouillard said on Monday. "Because of the systems that we have in place, we were able to detect these attacks early on and have been largely been able to mitigate the impact to Canadians."
A total of 11,200 accounts were impacted in the attacks, Brouillard said, including more than 9,000 GCKey accounts and another 5,600 CRA accounts, although almost half the CRA accounts were linked to the GCKey hack.
Brouillard said the affected accounts were cancelled as soon as the threat was discovered, and departments are contacting users whose credentials were compromised to provide instructions on how to receive a new GCKey.
CRA online services for individuals temporarily disabled
Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB funds or other payments had been issued in their name even though they had not applied for the COVID-19 benefit.
Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA stating that their email addresses had been discontinued.
WATCH | Hackers used stolen passwords to breach CRA accounts: government:
Annette Butikofer, chief information officer at CRA, said the tax agency was impacted by three separate cybersecurity breaches. The agency became aware of the first breach on Aug. 7.
The agency contacted the RCMP on Aug. 11 and began to step up its own security measures, Butikofer said.
Canadians were only notified of the breach over the weekend when CRA temporarily became the target of another attack and decided to shut down its online platforms, cutting off access to services connected to My Account, My Business Account and Represent a Client.
Butikofer said My Business Account, which is used by employers, is back online with additional safety measures so employers can apply for the most recent round of the emergency wage subsidy.
She said CRA hopes to have its online services for individuals back up and running by mid-week. In the meantime, Canadians can still apply for COVID-19 benefit programs by calling 1-800-959-8281.
CRA is sending letters to Canadians whose accounts were breached with instructions about how they can confirm their identify and regain access. Anyone who becomes a victim of identity theft will be eligible for creditor protection and will be "made whole," Butikofer said.
Lori MacDonald, chief operating officer of Service Canada, apologized on behalf of the Government of Canada for any inconvenience caused by the attack.
The government is advising Canadians to use unique passwords for all online accounts and to check for suspicious activity.
"If you've been a victim here, there's a good chance you're a victim elsewhere, as well," Brouillard said. "These credentials were stolen at some point in the past and these hackers are reusing them."
The RCMP has confirmed that its National Division, which investigates "sensitive, high profile cases that threaten Canada's political, economic and social integrity," is actively looking into the attacks.
At today's briefing, officials wouldn't say if they're aware of who is responsible for the attack, but they didn't rule out the possibility that foreign actors were responsible. The Canadian government was previously targeted by foreign hackers in 2011; they stole highly classified federal information.
WATCH | U.K. condemns Russia for cyberattacks on COVID-19 vaccine developers:
More recently, a hacker group suspected of being backed by the Russian government tried to steal COVID-19-related vaccine research in Canada, the U.K. and the U.S., according to intelligence agencies in all three countries.
The Canadian Anti-Fraud Centre, a federal agency, said more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million.
With files from Philip Ling and The Canadian Press