CRA cyberattack victims say they notified agency about hack long before breaches confirmed

By | August 19, 2020

TORONTO — Following the Canada Revenue Agency’s admission over the weekend that thousands of Canadians’ accounts had been compromised in a series of recent cyberattacks, two victims say they notified the CRA about the hacks weeks – and even months – earlier.

According to the CRA, hackers accessed the accounts of 5,500 Canadians using stolen usernames and passwords in three separate cyber security incidents. Government officials said they first learned of the security issues on Aug. 7 and contacted the RCMP to investigate on Aug. 11.

However, Linda Bradford said she alerted the CRA about a breach in her account months earlier, all the way back in May.

She said she first spoke with a CRA representative on May 8 to tell them her account information had been changed without her consent. The bank account to which her Canadian Emergency Response Benefit (CERB) payments were deposited had been switched to a new one at Tangerine Bank, which she had not opened.

Bradford said the CRA agents she spoke with didn’t know what had happened to her account and opened an investigation with Tangerine Bank. Since then, she said she has spoken with approximately seven CRA representatives to have her CERB payments reinstated.

“It was just insane,” she told during a telephone interview on Tuesday. “I cannot tell you how many hours I spent on the phone.”

Bradford, who has run a bed and breakfast for 19 years with her husband in Owen Sound, Ont., has been collecting CERB since the pandemic began. She said they haven’t reopened and still rely on CERB because they’re both in their seventies and her husband is immunocompromised.

The business owner said she became angry when she learned that government officials were telling the public they only became of aware of the cyberattacks in early August.

“My reaction was ‘You liars. You knew,’” she recalled. “I probably wasn’t the first person to call and I called May 8.”

Another victim of a cyberattack, Sara – who did not want her full name used because she works for another department of the federal government – said she also notified the CRA about her account long before Aug. 7.

It’s unclear whether the hacks involving Sara and Bradford’s accounts are related to the larger security incidents recently announced by the CRA. has reached out to the CRA for comment, but did not hear back by the time of publication.

Sara said she realized her account had been compromised when she received an email on July 16 informing her that her email address had been removed from her CRA profile. When she went to investigate the next day, Sara said she discovered her account information had been updated and a new TD Bank account had been added without her knowledge.

Sara said she called the CRA that day and learned that someone had applied for CERB in her name and the payment was in the process of being delivered to the account with TD Bank. She said she was told that a resource officer would call her back 24 hours later.

When she didn’t hear back from the CRA after a few days, Sara said she called them again on July 21. Since then, she has learned that CERB payments had been made from her account and it has been disabled.

Sara said she’s been frustrated by the lack of communication from the CRA and the fact that they said they only learned about the breaches on Aug. 7.

“Even if I was the first to have called, [the breach to my account was] pretty substantial, and to think that nothing was locked down until the seventh of August…” she said. “I would have hoped that somebody would have looked into it and did what they needed to do to lock down the access.”

Both Sara and Bradford said they have been on pins and needles as they closely monitor their bank accounts to see if anyone has applied for a loan or a credit card in their names.

“No one has tried anything yet, but you don’t know,” Bradford said. “I’m a pretty innocent, honest person here. I don’t think like a criminal. So I don’t know all the things they could do with my SIN [social insurance number].”

“It’s just so unnerving that somebody else has all this information,” Sara said. “They know my child’s name, they know my child’s date of birth, they know where I live… I feel so violated.”   

View original article here Source