The Canada Revenue Agency (CRA) has resumed all online services. The CRA My Account, My Business Account, and Represent a Client portal were deactivated earlier this week following several cyberattacks targeting COVID-19 benefits and breaching thousands of Canadians’ accounts and personal data.
Hackers used a series of “credential stuffing” attacks on both the CRA and GCKey service—a portal used by roughly 30 federal departments—using usernames and passwords fraudulently obtained in other hacks. The cyber-thieves took advantage of the fact many people reuse the same or similar passwords across their accounts.
Some of the affected individuals noticed these indicators:
- Changes in the email address used on the CRA My Account
- Direct deposit information issued to new bank accounts
- Applications for the Canada Emergency Response Benefit (CERB) or other benefits made without their knowledge
However, many of the impacted users were alerted to the breach by an official email from the CRA.
In a statement from the Treasury Board of Canada Secretariat, the government suggested approximately 5,500 CRA accounts and 9,041 GCKey accounts were compromised.
CRA service disruptions
Unfortunately, Canadians were unable to access the COVID-19 aid measures online during the CRA service disruptions.
- CERB: The COVID-19 emergency benefit provides Canadians who have been financially impacted by the pandemic with $2,000 every four weeks and requires applicants to reapply at the end of each payment period.
- Canada Emergency Student Benefit (CESB): Eligible students who have been unable to work due to COVID-19 can receive $1,250 per four-week period or $2,000 per month if the student has dependents or a disability.
- Canada Emergency Wage Subsidy (CEWS): Employers who have seen a drop in revenue may qualify for this benefit to cover part of employee wages. Monday, August 17, 2020, was the first day employers could apply for the updated CEWS program.
- Tax owing: Many taxpayers use the online CRA portal to pay their personal and business tax amounts owing and installment payments for the 2020 tax year. The CRA extended the deadline for personal, corporate, and trust income tax amounts due to September 30, 2020.
However, the CRA and Service Canada phone lines remained open for those requiring access.
Account updates and additional security measures
As a precaution, the CRA services were unavailable to Canadians and affected GCKey accounts were cancelled. During this time, additional security features were installed, addressing the vulnerabilities on the web service.
The CRA or affected federal department will contact impacted individuals to confirm their identities and provide instructions on how to receive a new GCKey or restore their account.
Both the federal privacy commissioner and the RCMP are investigating the cybercrime to determine how much information was acquired.
CRA security modifications
The government has modified its systems and added security features to fend off the persistent cyber-threats and detect future attacks. Users can now set up a unique personal identification number on their account to safeguard their details.
At home cybersecurity measures
Since the start of the pandemic, the emergency benefits have been a hot target for thieves to initiate scams, fraud and theft. Popular techniques include texting scams, identity theft, and forged CERB cheques.
Here are a few steps you can take to identify potential scams and protect your online data:
- Change your password regularly (avoid using the same or similar passcodes to other accounts)
- Enable email notifications where the feature is available (CRA My Account)
- Never use public Wi-Fi networks to access personal accounts (bank, CRA etc.)
- Never respond to fraudulent communications (email, text, phone)
If you are unsure of the legitimacy of the communication, the CRA has created a list of guidelines for the types of questions and details you can expect from the agency to verify their authenticity.