Judge Certifies Lawsuit Alleging CRA Allowed Hackers to Breach Thousands of Online Taxpayer Accounts

Judge Certifies Lawsuit Alleging CRA Allowed Hackers to Breach Thousands of Online Taxpayer Accounts
The Canada Revenue Agency (CRA) headquarters Connaught Building is pictured in Ottawa on Aug. 17, 2020. (Sean Kilpatrick/The Canadian Press)
Peter Wilson

A federal judge has certified a class action lawsuit alleging that the Canada Revenue Agency (CRA) allowed thousands of taxpayer identities to be breached by hackers, who then used the information to illegally collect Canada Emergency Response Benefit (CERB) payments.

Based on the accusations of the case's plaintiff, BC resident Todd Sweet, federal judge Richard Southcott wrote it appears that thousands of Canadians "were vulnerable to hackers from approximately June to August of 2020" because the CRA allegedly was dealing with "operational failures" that prevented it from securing online taxpayer portals.

"The Plaintiff further alleges that, by obtaining unauthorized access to those accounts, hackers were able to commit identity theft and CERB fraud and access sensitive and personal information," Southcott wrote in "Todd Sweet v. Her Majesty the Queen," as first reported by Blacklock's Reporter.

Sweet alleges that personal information such as social insurance numbers, direct-deposit banking numbers, and tax and employment records were left vulnerable to hackers in the breach because of a system glitch.

"Threat actors were able to bypass the security questions, and access My Account, because of a misconfiguration in CRA’s credential management software," Southcott wrote. "CRA learned of this method to bypass the security questions on Aug. 6, 2020, when it received a tip from a law enforcement partner that such a method was being sold on the Dark Web."

Hackers carried out what Southcott called "credential stuffing"—a cyberattack in which usernames and passwords are stolen, sold on the dark web, and used to gain access to personal services.

Southcott wrote that over 48,000 CRA accounts were hacked, of which only about 17,000 actually had their credentials misused or sold online.

"The threat actors actually logged in to 26,250 My Accounts," he said. "In 13,550 of the My Accounts, although the security question bypass was used, the threat actor only viewed the homepage, meaning that some personal information was accessed, but no application was submitted for CERB."

However, in almost 13,000 accounts, hackers changed taxpayers' direct-deposit information and submitted fraudulent CERB applications.

After learning of the system breach on Aug. 6, 2020, the CRA said it took four days to resolve it.

Sweet alleges that the breach happened because the government rolled out the COVID-19 response benefits "hastily and recklessly without taking necessary precautions" and says that the CRA should've been aware that its online systems were "vulnerable to unauthorized breaches."

Sweet further alleges that the CRA observed increased "fraudulent activity" at the beginning of each month leading up to the breach, but that the federal agency "did nothing to notify or warn the Plaintiff."