The Canada Revenue Agency has revealed it was recently hit by two cybersecurity incidents resulting in breaches to the agency’s My Account, My Business Account and Represent a Client services.
The agency confirmed Saturday that as of Aug. 14, about 5,500 accounts had been affected by the separate incidents but that the breaches are now contained.
“The CRA quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of the taxpayer’s information,” CRA spokesperson Christopher Doody wrote in an email.
“The CRA is continuing to analyze both incidents. Law enforcement assistance has been requested from RCMP and an investigation has been initiated.”
The admission came after repeated inquiries from CBC News after CBC noticed a pattern of similar hacks occurring over the past two weeks.
Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, their direct deposit information altered and that CERB payments had been issued in their name even though they had not applied for the benefit.
Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.
CRA Fraud Alert 1/n:<br>My wife woke up to multiple emails from Canada Revenue Agency saying she was going to receive a CERB payment and her Direct Deposit information was changed.<br><br>She had done none of these things…
Attacks based on reused usernames, passwords
The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer said in a statement.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”
Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.
“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.
Canada’s cyber intelligence agency recommends that anyone affected by the breach update their passwords immediately and to choose something they will not use for any other account.