The Canada Revenue Agency (CRA) has resumed all online services. The CRA My Account, My Business Account, and Represent a Client portal were deactivated earlier this week following several cyberattacks targeting COVID-19 benefits and breaching thousands of Canadians’ accounts and personal data.
Hackers used a series of “credential stuffing” attacks on both the CRA and GCKey service—a portal used by roughly 30 federal departments—using usernames and passwords fraudulently obtained in other hacks. The cyber-thieves took advantage of the fact many people reuse the same or similar passwords across their accounts.
Some of the affected individuals noticed these indicators:
However, many of the impacted users were alerted to the breach by an official email from the CRA.
In a statement from the Treasury Board of Canada Secretariat, the government suggested approximately 5,500 CRA accounts and 9,041 GCKey accounts were compromised.
Unfortunately, Canadians were unable to access the COVID-19 aid measures online during the CRA service disruptions.
However, the CRA and Service Canada phone lines remained open for those requiring access.
As a precaution, the CRA services were unavailable to Canadians and affected GCKey accounts were cancelled. During this time, additional security features were installed, addressing the vulnerabilities on the web service.
The CRA or affected federal department will contact impacted individuals to confirm their identities and provide instructions on how to receive a new GCKey or restore their account.
Both the federal privacy commissioner and the RCMP are investigating the cybercrime to determine how much information was acquired.
The government has modified its systems and added security features to fend off the persistent cyber-threats and detect future attacks. Users can now set up a unique personal identification number on their account to safeguard their details.
Since the start of the pandemic, the emergency benefits have been a hot target for thieves to initiate scams, fraud and theft. Popular techniques include texting scams, identity theft, and forged CERB cheques.
Here are a few steps you can take to identify potential scams and protect your online data:
If you are unsure of the legitimacy of the communication, the CRA has created a list of guidelines for the types of questions and details you can expect from the agency to verify their authenticity.