Federal officials from a number of government departments are providing details today on two cyberattacks that compromised the personal information of thousands of Canadians and allowed hackers to fraudulently access government services.
As first reported by CBC News, the attacks targeted the Canada Revenue Agency and GCKey, a secure online portal that allows Canadians to access services such as employment insurance, veterans’ benefits and immigration applications.
The Canada Revenue Agency temporarily cut off access to its online services on Sunday after confirming that at least 5,500 CRA accounts had been affected.
Another 9,000 or so accounts were affected by the GCKey attack. A spokesperson for the Treasury Board, which manages the public service, said the government detected attempts to access accounts in at least 24 different departments, including Employment and Social Development Canada and Immigration, Refugee and Citizenship Canada.
Senior officials from the Treasury Board, CRA and the Canadian Centre for Cyber Security are giving an update at a 10 a.m. press conference. CBC News is carrying it live.
The incidents are a type of attack known as “credential stuffing,” where hackers fraudulently obtain usernames and passwords to accounts on other websites, and take advantage of the fact that many people use the same password for different accounts.
The RCMP has confirmed that its National Division, which investigates “sensitive, high profile cases that threaten Canada’s political, economic and social integrity,” is actively looking into the attacks. The Office of the Privacy Commissioner of Canada is also monitoring the situation.
The shutdown of CRA’s online services means that anyone attempting to apply for emergency COVID-19 benefits, such as the Canada emergency response benefit, the emergency student benefit or the federal wage subsidy for businesses, will be unable to do so until further notice.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million