Federal authorities were scrambling for answers over the weekend after revealing that hackers used thousands of stolen usernames and passwords to fraudulently obtain government services — with the extent of the damage still unclear.
More than 9,000 hijacked accounts that Canadians use to apply for and access federal services have been cancelled after being compromised in what the Treasury Board of Canada described as “credential stuffing” attacks.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the federal department said in a statement.
The hacked accounts were tied to GCKey, which is used by around 30 federal departments and allows Canadians to access various services such as employment insurance, veterans’ benefits and immigration applications.
One−third of those accounts successfully accessed services before all of the affected accounts were shut down, said the Treasury Board, which is responsible for managing the federal civil service as well as the public purse.
Officials are now trying to determine how many of those services were fraudulent.
The GCKey attack included thousands of Canada Revenue Agency accounts, through which Canadians can access their income−tax records and other personal information as well as apply for financial support related to the COVID−19 pandemic.
A total of 5,500 CRA accounts were targeted through the GCKey attack and an earlier “credential stuffing” scheme, the Treasury Board said.
“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” the department said.
Yet at least one victim says she has yet to hear anything from the government after someone hacked into her CRA account earlier this month and successfully applied for the $2,000−per−month Canada Emergency Response Benefit for COVID−19.
Leah Baverstock, a law clerk in Kitchener, Ont., says she first realized her account had been compromised and contacted the revenue agency herself when she received several emails from CRA on Aug. 7 saying she had successfully applied for the CERB.
“The lady I spoke to at CRA, she’s said: ’This is a one−off,’” said Baverstock, who has continued to work through the pandemic and did not apply for the support payments.
“And she told me a senior officer would be calling me within 24 hours because my account was completely locked down. And I still haven’t heard from anybody.”
Baverstock expressed frustration at the lack of contact, adding she still does not know how the hackers accessed her account. She has since contacted her bank and other financial institutions to stop the hackers from using her information to commit more fraud.
“I am quite concerned,” she said. “Somebody could be leaving under my name. Who knows. It’s scary. It’s really scary.”
The Treasury Board did not reveal how many of the CRA accounts were compromised or the cost of the suspected fraud, but said federal officials as well as the RCMP and federal privacy commissioner were conducting separate investigations.
And while the CRA says victims will get letters explaining how to confirm their identities to regain access to their accounts, it did not say how those receiving the Canada Child Benefit, CERB and other services will be affected by their accounts being suspended.
The government warned Canadians to use unique passwords for all online accounts and to monitor them for suspicious activity.
The Canadian Anti−Fraud Centre says more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID−19 fraud worth $5.55 million.