OTTAWA — In a major update to the impact of a series of credential stuffing attacks on government websites including the Canada Revenue Agency, the country’s top information officer now says that “suspicious activities” have been found on 48,500 CRA user accounts.
In August the CRA temporarily shut down its online services and applications after hackers used thousands of previously stolen usernames and passwords to fraudulently access government services in three separate but serious breaches, compromising the personal information of thousands.
While it was initially reported that 5,500 CRA account users had their personal information accessed, officials then updated that number, saying a total of 11,200 accounts across Government of Canada services were compromised in the attacks. These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.
But now, the number has more than quadrupled, with evidence that hackers were accessing Canadians’ accounts for a month before the CRA realized.
“As a result of ongoing forensic analysis of these cyber incidents, the CRA has identified suspicious activities occurring between early July and August 15 on approximately 48,500 of the more than 14 million CRA user accounts,” said the Office of the Chief Information Officer in a statement issued on Thursday.
Government officials initially said they first became aware of security issues on Aug. 7, contacted the RCMP on Aug. 11, and yet Canadians were not informed until nearly a week later. As CTVNews.ca has reported, some Canadians warned the government months before that something was wrong.
After getting its online services back up and running for the most part, the government said it was working on notifying all affected users and tallying the damage done by these cyberattacks.
Those who had their accounts breached and suspended were to receive a letter explaining how to confirm their identity in order to protect and restore access to their accounts or create new ones.
CTVNews.ca has asked the CRA to confirm how many of the impacted users have since been able to regain access to their accounts—which can be used to apply for federal emergency aid programs— but the agency has not responded.
The new statement says that additional “safeguards” have been placed on all affected accounts and that all valid emergency benefit payments will be issued.
“The CRA will work with individuals affected by identity theft or fraud to help ensure they are not held liable for fraudulent claims and payments made by fraudsters using their account. Individuals whose accounts have been compromised will be offered credit protection services free of charge,” the statement said.
The RCMP investigation is ongoing and the impacted government departments are conducting their own investigations.