With files from Howard Solomon
The Government of Canada says thousands of GCKey service and Canada Revenue Agency income and business tax accounts have been slammed with multiple credential stuffing attacks.
Used by roughly 30 federal departments, GCKey lets Canadians access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. The Treasury Board of Canada Secretariat says that of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were obtained fraudulently and used to try and access government services. A third of those hacked accounts accessed government services and are being “further examined for suspicious activity.”
The bad news continues. Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA, according to an Aug. 15 press release.
“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” it reads.
The RCMP is investigating, and the federal Privacy Commissioner has been contacted and alerted to possible breaches. But as of August 15th, it was unclear if any info was obtained from the attack. CBC News reports that several Canadians say email addresses associated with their CRA accounts had been changed, their direct deposit information altered and that COVID-19 aid payments under the Canada Emergency Response Benefits payments had been issued in their name even though they had not applied for the benefit.
The CRA says affected users will be contacted directly.
IT World Canada has reached out to the Treasury Board of Canada Secretariat to confirm the exact number of affected CRA accounts and will update the story upon confirmation. A CRA spokesperson declined a request for an interview and instead referred a reporter to Saturday’s press release.
That release says CRA is prioritizing calls from the victims of the attacks and is answering calls as quickly as possible. When calling the CRA, the statement says, impacted individuals can select the “report suspected fraud or identity theft” option to expedite their call to a specialized agent appropriately trained to handle these priority calls.
To prevent access to other online government accounts, the link between CRA My Account and My Service Canada Account has temporarily been disabled.
CRA says to help reduce the risk of cyberattacks residents should always use a unique password for all online accounts. “Do not reuse the same password for different systems and applications and regularly monitor all online accounts for suspicious activity.”
The attacks raise the question of why Ottawa doesn’t force all users who register for online services to use two-factor authentication. In an email Brett Callow, a British Columbia-based threat analyst for Emisoft noted that federal websites offer multiple login options, including sign-in via financial institution and provincial government accounts. “While this may be convenient, it results in an expanded attack surface and increases the opportunity for exploitation as the credentials used for logging into those third-party services could, if compromised, be used to improperly access federal government’s services. The government may well need to re-think this strategy as well as consider implementing multi-factor authentication to further secure accounts.
1/5 The GC has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA. pic.twitter.com/KZhvFKFQot
— Digital Government (@DigitalCDN) August 15, 2020
Finally did get through to CRA about my online account being suspended.
Someone did try to get access to my tax account but did not get the password. They also tried to go through the password recovery but couldn’t answer my questions.
CHECK YOUR ACCOUNTS
— Kay M. Dingwell (@CanadianKayMD) August 14, 2020