Thousands of government service and CRA accounts hit by credential stuffing attack

With files from Howard Solomon


The Government of Canada says thousands of GCKey service and Canada Revenue Agency income and business tax accounts have been slammed with multiple credential stuffing attacks.

Used by roughly 30 federal departments, GCKey lets Canadians access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. The Treasury Board of Canada Secretariat says that of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were obtained fraudulently and used to try and access government services. A third of those hacked accounts accessed government services and are being “further examined for suspicious activity.”


Nearly 70% of fraud phishing attacks are directed at Canada: RSA report


The bad news continues. Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA, according to an Aug. 15 press release. 

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information, and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” it reads.

The RCMP is investigating, and the federal Privacy Commissioner has been contacted and alerted to possible breaches. But as of August 15, it was unclear if any info was obtained from the attack. CBC News reports that several Canadians say email addresses associated with their CRA accounts had been changed, their direct deposit information altered and that COVID-19 aid payments under the Canada Emergency Response Benefits payments had been issued in their name even though they had not applied for the benefit.

The CRA says affected users will be contacted directly.

IT World Canada has reached out to the Treasury Board of Canada Secretariat to confirm the exact number of affected CRA accounts and will update the story upon confirmation. A CRA spokesperson declined a request for an interview and instead referred a reporter to Saturday’s press release.

That release says CRA is prioritizing calls from the victims of the attacks and is answering calls as quickly as possible. When calling the CRA, the statement says, impacted individuals can select the “report suspected fraud or identity theft” option to expedite their call to a specialized agent appropriately trained to handle these priority calls.

To prevent access to other online government accounts, the link between CRA My Account and My Service Canada Account has temporarily been disabled.

CRA says to help reduce the risk of cyberattacks residents should always use a unique password for all online accounts. “Do not reuse the same password for different systems and applications and regularly monitor all online accounts for suspicious activity.”

The attacks raise the question of why Ottawa doesn’t force all users who register for online services to use two-factor authentication. In an email, Brett Callow, a British Columbia-based threat analyst for Emisoft, noted that federal websites offer multiple login options, including sign-in via financial institutions and provincial government accounts. “While this may be convenient, it results in an expanded attack surface and increases the opportunity for exploitation as the credentials used for logging into those third-party services could, if compromised, be used to improperly access federal government’s services. The government may well need to re-think this strategy as well as consider implementing multi-factor authentication to further secure accounts.

“This incident also demonstrates how important it is for people not to re-use passwords and to use multi-factor authentication wherever it’s offered. Breaches are extremely common and credential stuffing attacks, which make use of the credentials stolen in those breaches, are extremely common too. Practicing good password hygiene is the best way to protect yourself from experiencing the inconvenience of your accounts being compromised.”

David Swan, Alberta-based director of the Center for Strategic Cyberspace + International Studies, which has offices in Washington and London, said in an email he isn’t surprised at the hack. No federal party has committed to protecting Canadians through up to date cyber law, given enough resources to any federal agency to respond to hackers or creating Federal level cybersecurity responses that protect the average Canadian.

“To get targeted, the attacker had to know who they were targeting – a critical security failure: Strike one. For the ‘phish’ to work, it had to evade security software designed to catch such things if there was any: Strike two. For 5,500 accounts to be accessed, that is a lot of strikes. Worse, where is the response for the victims?” That the CRA says “both issues are now considered contained.” Who cares? 5,500 taxpayers have a problem. I would hardly describe that as ‘contained’.

Noting that the CRA is advising Canadians to watch their MyAccount for suspicious activity, Swan concluded, “We had better look after ourselves because the Government of Canada, the CRA and even federal politicians, have no interest in looking after us.”

The quickly-deployed COVID-19 benefits programs offered by governments around the world are prime targets for hackers because of huge sums of money involved. In May, the CRA issued an alert warning residents not to reply to text messages saying they have received a deposit for the CERB. This was followed by an alert issued by the Canadian Anti-Fraud Centre.

Also, in May our Cyber Security Today podcast reported the discovery by Kela Research of a CERB cheque scam, with criminals selling editable digital copies of CERB cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them. Typically the cheque is put into a bank by a mobile deposit in what is called a “drop” account. These are accounts that have been opened by criminals some time ago with a fake ID and are used for transferring money. Criminals often buy and sell drop accounts from each other.

Opposition critics have complained the government rushed the CERB program without checks and balances to prevent fraud.

The New York Times reported in May that a group of international fraudsters appeared to have mounted an immense, sophisticated attack on U.S. unemployment systems to siphon millions of dollars in COVID-19 related-payments. “The attackers have used detailed information about U.S. citizens, such as social security numbers that may have been obtained from cyber hacks of years past, to file claims on behalf of people who have not been laid off,” officials said.

Last month, the FBI reported a spike in fraudulent U.S. unemployment insurance claims complaints related to the pandemic involving the use of stolen personally identifiable information.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Alex Coop
Alex Coop
Former Editorial Director for IT World Canada and its sister publications.

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now