‘It’s scary’: CRA breach victims wait for answers as accounts stay locked

Click to play video: 'CRA shuts down online services after cyberattacks' CRA shuts down online services after cyberattacks
WATCH: CRA shuts down online services after cyberattacks – Aug 17, 2020

Sandra Laframboise says she was stunned when she found out her Canada Revenue Agency account might’ve been breached.

The 60-year-old Vancouver woman says she’s adamant about her security online. She regularly changes her passwords, clears her browsing data and keeps her computer software up to date.

When her purse was stolen in early July, Lamframboise changed “everything” — identification cards, bank and credit cards, and her online login credentials for her CRA and other online accounts. She even went as far as filing a report with the RCMP’s Anti-Fraud Centre.

Read more: What to know (and do) about the CRA breach and shutdown

Service Canada advised her at the time to check her CRA account on a regular basis, which Lamframboise says she did, but that all her necessary changes were made.

Story continues below advertisement

And yet, on Aug. 4, she received an email from the CRA informing her that her banking information had been updated — to a bank she had never used.

Laframboise, a former government of Canada worker, knew something was up.

“I logged in and changed it back to my banking information. A few days later when I went to log back in and check on my account, as I was told to, and got an error code,” she said.

Click to play video: 'Thousands of CRA, government service accounts targeted by hackers in ‘credential stuffing’ attacks' Thousands of CRA, government service accounts targeted by hackers in ‘credential stuffing’ attacks
Thousands of CRA, government service accounts targeted by hackers in ‘credential stuffing’ attacks – Aug 15, 2020

Laframboise called the CRA and explained her situation. She was told she’d get a callback within two days. A week later, she had heard nothing.

“That’s when I saw on the news that Revenue Canada had been hacked.”

The CRA did not respond to a request from Global News for comment by time of publication.

Story continues below advertisement

The CRA was forced to temporarily suspend its online services on Aug. 16 after a series of cyberattacks compromised the usernames and passwords of more than 5,000 accounts.

The hacks are believed to be part of a “credential stuffing” scheme, the government said, meaning the hackers used passwords and usernames from other websites to access CRA accounts.

Essentially, people who use the same password and username for multiple logins online are those whose accounts may have been breached.

Read more: CRA expects online services to be restored by Wednesday after cyberattacks

The attack is now under control, and the CRA’s online services resumed at 5 p.m. ET on Wednesday.

Government officials have said that Canadians whose accounts have been impacted would be notified, either by letter or email, sometime this week. At that point, CRA agents will work with account holders to re-verify their information.

But some Canadians, like Laframboise, noticed abnormal activity on their accounts themselves.

Julie Kagansky, of Burlington, Ont., spotted something odd while browsing through her emails on the morning of Aug. 10.

Accustomed to sweeping through and deleting unneeded subscription emails and scams, Kagansky was concerned when she noticed multiple emails from the CRA.

Story continues below advertisement
Click to play video: 'Nearly 9,000 GC Key accounts were hacked during CRA cyber attack, feds say' Nearly 9,000 GC Key accounts were hacked during CRA cyber attack, feds say
Nearly 9,000 GC Key accounts were hacked during CRA cyber attack, feds say – Aug 17, 2020

“It didn’t appear to be a phishing email,” she told Global News. “There were two email confirmations that I had applied for CERB (Canada Emergency Response Benefit) and that it would be deposited into my account within three business days.”

The third email was a confirmation that her direct deposit information had been updated.

Kagansky said she logged into her account and found that two CERB payments had been applied on her behalf — something she never applied for or needed to apply for in the past. She also saw that her banking information had, in fact, been changed.

Kagansky said she was able to confirm with a CRA representative that her account had been hacked and reversed her banking information, but she was still worried.

Read more: CRA shuts down online services after cyberattacks expose thousands of accounts

Story continues below advertisement

“Was it more than just my CRA account? Had my identity been stolen? My banking information? I had to check all my other accounts to ensure nothing else was touched.”

Josh Thomas of Ottawa experienced a similar issue.

He said he found a CERB request for $4,000 on his CRA account on Aug. 10 after receiving an email telling him that changes were made to his account.

He was able to cancel the payment quickly and switch the email address back to his own. But when he refreshed the webpage to make sure the changes were made, he said his email had been removed for a second time and that the third CERB payment had been resumed.

“I guess whoever was hacking it was hacking it in real-time,” he said. “It was really freaky.”

Click to play video: 'Government officials explain how “credential stuffing” hacks affected CRA accounts' Government officials explain how “credential stuffing” hacks affected CRA accounts
Government officials explain how “credential stuffing” hacks affected CRA accounts – Aug 17, 2020

Thomas said he didn’t get much information from the CRA about why the breach occurred, nor has he received any notification from the agency about the breach since he called himself.

Story continues below advertisement

He believes a possible breach on his Pinterest account may be related.

“I got an email the same day saying it was breached,” he said. “I think Pinterest was my Achilles heel.”

Since the breach stemmed from stolen usernames and passwords from other sites, the CRA has encouraged anyone who believes they may be impacted to do a sweep of all their other online accounts for any abnormal behaviour.

“If you’ve been a victim here, there’s a good chance you’re a victim elsewhere, as well,” Marc Brouillard, the federal government’s acting chief information officer, told reporters at a news conference on Aug. 17.

Read more: Data of Trent University alumni, faculty may have been copied during cybersecurity attack

Kagansky acknowledged that it never occurred to her to change her CRA account password. She said the password was unique to that account, which she’s had for years and “rarely” uses.

“More and more institutions require a stronger password. I did always wonder why the CRA wasn’t suggesting a stronger password,” she said.

“It doesn’t make sense why the CRA didn’t step ahead of the curve and require more confirmations.”

Laframboise worries the breach is larger than being reported. Having just done a sweep of her personal data after losing her purse, she’s concerned about how exactly these accounts were accessed — and what information was taken.

Story continues below advertisement

“They’re trying to blame us for using the same password, but I think this is their problem.”

Sponsored content