The Canada Revenue Agency, the governmental department responsible for overseeing taxes in Canada, has admitted that 9,041 accounts were compromised.
There’s been another security incident. This time, it affects Canadians and their accounts associated with the Canada Revenue Agency (CRA). In all, 9,041 accounts were affected by what is being described as credential stuffing. That is a method where attackers simply take stolen login credentials and re-use the passwords on other services. Upon the discovery of the compromised accounts, the CRA cancelled the keys associated with the affected accounts. In an official statement, the CRA explains that there are roughly 12 million keys in use. This actually suggests that a very small number of accounts were affected. From an official CRA statement:
The Government of Canada is taking action in response to “credential stuffing” attacks mounted on the GCKey service and CRA accounts. These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.
Used by approximately 30 federal departments, GCKey allows Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity.
Affected GC Key accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey. More information is available on Canada.ca. If you have immediate concerns, please call 1-800-O-Canada.
Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA. Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount.
The government is continuing its investigation, as is the RCMP to determine if there have been any privacy breaches and if information was obtained from these accounts. As well, the Office of the Privacy Commissioner has been contacted and alerted to possible breaches.
While the statement does sound boilerplate and something seen millions of times over, we actually happen to have an idea on how the CRA operates on the security front. If anything, the fact that authorities and regulators have been contacted already should be a pretty good hint as to where this is heading already.
When it comes to security, the CRA does take security seriously to a fault. Accounts are constantly monitored. If accounts are accessed even by an insider for malicious purposes, chances are, that person is leaving the building in handcuffs that day. Buildings are secure with security personnel. Connections are heavily encrypted. Password requirements are quite high. Mobile devices are disallowed from being connected to infrastructure. Nothing is approved without at least a small committee of engineers. In short, the CRA is a near impenetrable fortress when it comes to security. You’re simply not going to hack it for the most part.
So, when we heard that accounts were compromised, our eyebrows were raised. When we saw that it is the result of credential stuffing, that is likely the only way a hack even has a remote chance of going anywhere. Credential stuffing is probably one of the hardest, if not, hardest thing to police against. In short, if an account on a completely unrelated service gets hacked, credential stuffers then take the hacked user name and password and try plugging it in to other accounts on other services. If the user re-used their password, they can gain unauthorized access.
The question is, what were the hackers after? As it turns out, Canada Emergency Response Benefit (CERB) payments among other things. From the CBC:
The Canada Revenue Agency has temporarily shut down its online services after the agency confirmed it was recently hit by two cyberattacks that compromised thousands of accounts linked to its services.
While the breaches have been contained, services connected to My Account, My Business Account and Represent a Client on the CRA website have been disabled as an additional safety measure.
The shutdown means that anyone attempting to apply for emergency COVID-19 benefits, such as the Canada Emergency Response Benefit or the Canada Emergency Student Benefit, will be unable to do so until further notice.
The admission came after repeated inquiries from CBC News after CBC noticed a pattern of similar hacks occurring over the past two weeks.
Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.
One thing to note, changing something like that requires additional hoops to jump through. That would explain why the number of impacted accounts are so low to begin with.
Knowing the CRA, they are already working on a method of trying to thwart such attacks in the future. One possibility is narrowing the IP range that can be used to access the account down to the city users live in. That could thwart a lot of attempts like this. Alternatively, they may require confirmation over the phone that the changes were, in fact, authorized. It would be a surprise that such ideas aren’t being floated by now.
At any rate, this incident will probably hurt the security image of the CRA for some, however, Canadian’s should be confident that the CRA is still an extremely secure organization. Given the low number of compromised accounts, if you are affected by this, count yourself as someone who got struck by lightening. That is an extremely unlikely event to take place. By my calculation, you have a 0.075% chance of being affected by this one at worst. Consider buying a lottery ticket if you got hit by this one.
Drew Wilson on Twitter: @icecube85 and Facebook.
