The federal government described the three separate hacks as a “credential stuffing” scheme — a type of cyberattack that uses passwords and usernames from other websites to access accounts with the CRA.
Essentially, it targets people who use the same password and username for multiple login credentials.
The government said the attack was detected early on and has since been brought under control, however, the CRA’s online services aren’t expected to be back up and running until Wednesday.
The RCMP is now investigating the breaches.
Here’s a look at what officials say happened, and what you need to know.
The CRA was impacted by a total of three cybersecurity incidents.
The first and largest attack targeted GCKey accounts, which allow Canadians to access services like Employment Insurance (EI); My Service Canada accounts; Immigration, Refugee and Citizenship Canada accounts; and veterans programs. The attack may have allowed hackers to access 5,600 CRA My Accounts.
The second attack took place last week when hackers took advantage of a “vulnerability in security software, which allowed (the hackers) to bypass security questions and gain access,” Annette Butikofer, the chief information officer at the CRA, said during a news conference on Monday.
The third attack occurred over the weekend, prompting the CRA to suspend online services while it assessed the breach. Any “link” between CRA My Accounts and My Service Canada accounts was also temporarily disabled, officials said.
In total, about 5,600 accounts out of 15 million may have been impacted.
“The important thing to recognize in this particular case is that this is not an attack where they’re going through the backdoor, they’re applying credentials like normal users,” said Marc Brouillard, the federal government’s acting chief information officer.
“So it’s very hard to detect that traffic from normal traffic.”
Brouillard said the CRA has systems in place to monitor and look for these abnormal behaviours, which eventually identified the attack.
“Identifying the good from the bad is one of the ongoing challenges we’re working on,” he said.
How do I know if I was impacted?
Government officials say Canadians impacted will be notified by the CRA this week whether their account was breached and what to do about it.
A number of Canadians may have already received notification from the CRA by email or phone over the weekend, officials say. An email has also been sent to “every EI client,” said Lori MacDonald, the chief operating officer with Service Canada.
Letters have also been sent out to affected Canadians, which should be received sometime this week, according to officials.
However, some Canadians have noticed the breaches themselves.
A Kitchener, Ont., woman told The Canadian Press she first realized her account had been compromised when she received several emails from the CRA saying she had successfully applied for the emergency benefit program — which she did not.
What do I do if I was impacted?
Anyone who has been affected will be contacted by the CRA either by email or by letter, which will explain how to reconfirm your identity and restore access to your account.
The CRA and federal officials did not provide information on what’s required to reauthenticate a breached account.
Once reactivated, the account holder will be encouraged to add email notifications as an “additional level of security” should they not have the option activated already.
“These notifications act as an early warning to Canadians of potential breaches to their account,” said Butikofer.
If you notice unusual behaviour or changes on your account, the CRA encourages you to notify it.
MacDonald said if theft or fraud has been identified on an account, the CRA will “provide assistance and credit protection if necessary… to make sure the account is made whole.”
But since the breach stemmed from usernames and passwords originally stolen from other sites — and not the CRA — Brouillard said it’s important for anyone who believes they may have been impacted to do a sweep of all their other online accounts for any abnormal behaviour.
“If you’ve been a victim here, there’s a good chance you’re a victim elsewhere, as well,” he said. “These credentials were stolen at some point in the past and these hackers are reusing them.”
If I wasn’t impacted, what precautions can I take?
The government has warned Canadians to use unique passwords for all online accounts and to monitor them for suspicious activity.
The CRA has also encouraged anyone who hasn’t activated email notifications to do so.
Scott Jones, the head of the Canadian Centre for Cyber Security, said there are five steps Canadians can take to “significantly offset the risk of any threat by any hacker on any site.”
He recommends practising good password etiquette (i.e. not using the same password for multiple accounts and using two-factor authentication when available), knowing how to spot phishing attempts, securing social media and other accounts with as many protections as possible, keeping your computers and mobile devices up to date, and knowing how to store data securely. You can read more on these guidelines here.
“We ask that individuals do not contact us simply to ask if they’ve been affected as this can cause additional wait times for Canadians that urgently need to reach us,” said Butikofer.
Can I still apply for benefit programs?
The decision to briefly suspend the CRA’s online services comes as many Canadians continue to apply for COVID-19-related benefit programs, such as the fifth round of the federal wage subsidy program.
While online services are unavailable, Canadians can still apply for programs like the Canada Emergency Student Benefit or the Canada Emergency Response Benefit (CERB), according to a senior government official.
Canadians can apply by calling 1-800-959-8281.
Canadians can also still apply for these benefits retroactively over the phone.
Once the online portal is rebooted, applications there will resume.
Officials are now trying to determine how many of the services successfully accessed were fraudulent.
The RCMP and federal privacy commissioner have also been called in to assess the scale and scope of the personal information stolen.
The RCMP will also be looking for the source of the cyberattacks.
Part of that investigation will involve determining where the attacks are coming from, said Brouillard.
— with files from the Canadian Press