OTTAWA — A series of cyberattacks levelled against the Government of Canada exploited an internal “vulnerability” and leveraged previously hacked login information, leading to the breach of thousands of Canadians’ online Canada Revenue Agency accounts, federal officials say.
Over the weekend the Canada Revenue Agency temporarily shut down its online services and applications after hackers used thousands of stolen usernames and passwords to fraudulently access government services in three separate but serious breaches, comprising the personal information of thousands.
While it was initially reported that 5,500 CRA account users had their personal information accessed, officials confirmed on Monday that a total of 11,200 accounts for Government of Canada services were compromised in a trio of attacks.
These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.
In total there were more than 9,000 impacted “GCKey” accounts and 5,600 CRA accounts, though more than half of the CRA accounts were believed to be tied back to the initial “GCKey” breach, officials said.
“The bad actors were able to use the previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user’s CRA account. This vulnerability was patched and the risk of this attack vector has been mitigated,” said Marc Brouillard, the acting chief information officer for the Government of Canada, during a Monday morning technical briefing on the incidents.
Government officials said they first became aware of security issues on Aug. 7, yet Canadians were not informed until this weekend, after further attacks were executed.
The CRA defended not notifying Canadians earlier, stating that plans needed to be made internally to notify people and help regain access to their breached accounts.
Officials would not comment on who may have been behind the attacks.
The government says the cyberattacks used “credential stuffing” schemes, where stolen passwords and usernames from other websites are tested to try to access users’ other online accounts, taking advantage of the reality that despite advice against it, many Canadians reuse passwords and usernames across multiple online accounts.
The temporary online shutdown comes as many Canadians and Canadian businesses are still relying on COVID-19 emergency federal aid programs to stay financially afloat, such as those accessing the Canada Emergency Response Benefit.
Monday was to be the first day employers could begin applying for the revamped federal wage subsidy program, but these attacks have put that on hold. Now, the estimate is that online services will be back up and running by Wednesday.
Officials suggested those needing to apply for aid or access their online services for another reason do so over the phone.
Impacted individuals have had their accounts suspended, and the government is working on notifying all affected users and tallying the damage done by these cyberattacks. Government officials are encouraging all who suspect they have had their accounts compromised to report it, and check the status of other login accounts, such as online banking.
Impacted individuals will receive a letter from the CRA explaining how to confirm their identity in order to protect and restore access to their CRA account, the revenue agency says.
The RCMP and federal privacy commissioner are investigating.
With a report from CTV News’ Heather Wright
View original article here Source