Hackers filed thousands of CERB apps, made claims using real CRA accounts

Backcountry Media/Shutterstock

Newly released court documents have revealed that in 2020, thousands of Canada Revenue Agency (CRA) accounts were hacked and used to file fraudulent CERB applications.

That year, the federal government introduced the Canada Emergency Response Benefit program, aimed at helping Canadians financially affected by the pandemic with payments of up to $2000 per month.

During the summer months, tens of thousands of suspicious log-in attempts were made to take advantage of the program.

Hackers were able to successfully log in to at least 48,110 CRA profiles using the proper credentials during the breach. Of these, 21,860 did not see more fraudulent activity following the unauthorized login.

“This is potentially understood as a stage of the attack in which the threat actor was ensuring that the credentials worked,” read the court documents.

But in the case of 12,700 taxpaying Canadians, their CRA direct deposit information was successfully changed. Sometimes, multiple CERB applications were submitted through a single profile. The hackers even managed to make monetary claims.

The breach has resulted in a major class action against the Canadian government. It is helmed by Todd Sweet, a former police officer based in Clinton, BC, who had been victimized by the fraud.

The federal court certified the class action lawsuit on Thursday, nine months after Sweet requested it is categorized as one.

On July 2, 2020, Sweet received emails notifying him that his email address had been removed from his online CRA account.

When he looked into the matter, he discovered that his direct deposit info had been altered. Just days before he was alerted, four CERB applications had already been submitted fraudulently through his account.

The lawsuit claims that CRA was “aware of an increase in fraudulent activity at the beginning of each monthly CERB and CESB period and generally during the time at issue but did nothing to notify or warn the Plaintiff.”

So far, the Canadian government has claimed that Sweet is focusing on and arguing against using existing federal service tools — such as the CRA website — to implement the CERB program.

Sweet counter-argues that his allegations don’t focus not on this but on the inadequate security protocols that failed to protect Canadians who signed up for CRA online services, hoping their personal and financial data would remain in safe hands.

Source: National Trending Stuff/DH News