Several services, including the national revenue agency, had to be shut down following a series of credential-stuffing attacks
Cybercriminals set their sights on the Canadian government at the beginning of August, when several government services were disabled following a series of cyberattacks. On August 15, the Treasury Board Secretariat announced that approximately 11,000 online government services accounts, originating from the Government of Canada Key service (GCKey) and Canada Revenue Agency (CRA) accounts, had been victims of hacking attempts. The GCKey allows Canadians to access the online services of several Government of Canada programs and services, including Employment Insurance services, while the CRA manages Canadians’ tax services as well as Canada Emergency Benefit (ECP) payments, a support program for employees who have lost their jobs due to the pandemic.
On August 7, CRA noticed the first signs of credential-stuffing attacks on its website. Credential stuffing means criminals try to use previously stolen credentials to log into another account owned by the same victim. Unlike a brute-force attack, bad actors therefore use previously stolen user/password combinations to access a third-party service.
Annette Butikofer, CRA’s Chief information officer, explains that the agency did not notify the Royal Canadian Mounted Police (RCMP) until August 11, then informing the general public and suspending access to its online services on August 15. “We were very confident that the monitoring was good, but after [the events involving] the KEICC, we noticed an attack on Saturday and decided to block and close our web portal,” she said. The agency’s online services were restored on August 19.
The government estimates that approximately 11,200 accounts were hacked. Of these, approximately were 5,600 for the CRA and 9,000 for the KeyGC system. Of the CRA accounts affected, more than half were hacked using the GCKey access. The CRA states that it is sending a letter to all those whose accounts were hacked.
What can we do?
We don’t at this time have details as to the types of data that the bad actors have had access to, and whether all victims of these attacks have already been reached out to by the government so far.
However, since we are talking about credential-stuffing attacks, we can point out that people who use the same credentials for multiple sites and programs are at risk of being victims of this type of attack. Various resources are available to help you find out if one of your accounts has ever been the victim of a data breach. We recommend that you consult our recent article on this subject for more details.
Related reading: How much is your personal data worth on the dark web?
Even if you might not have been a victim of cyber attackers this time around, adopt better security habits now to avoid being a victim of the next attack.
First and foremost, we can never say it too much: never recycle a password. This is an easy and essential step to ensure the security of you and your data. In this case, the bad actors used previously stolen login/password combinations for their attacks.
- Use passwords – or better yet, passphrases – that are strong and unique for each of your accounts.
- You can use a reliable password manager to help you create and, above all, memorize strong and unique passwords.
- Enable multi-factor authentication, whenever it’s available, to add an extra layer of security to your accounts.
- Regularly check your personal records for anomalies, especially if you have been the victim of data theft.