Politics

CRA shuts down online services after thousands of accounts breached in cyberattacks

The Canada Revenue Agency has temporarily shut down its online services after the agency confirmed it was recently hit by two cyberattacks that compromised thousands of accounts linked to its services.

Temporary measure blocks Canadians from applying for some emergency COVID-19 benefits

A sign reading 'Canada Revenue Agency' stands outside of a large stone building.
The Canada Revenue Agency is investigating two online hacking incidents affecting the personal information of thousands of Canadians. (Adrian Wyld/The Canadian Press)

The Canada Revenue Agency has temporarily shut down its online services after the agency confirmed it was recently hit by two cyberattacks that compromised thousands of accounts linked to its services.

While the breaches have been contained, services connected to My Account, My Business Account and Represent a Client on the CRA website have been disabled as an additional safety measure. 

The shutdown means that anyone attempting to apply for emergency COVID-19 benefits, such as the Canada Emergency Response Benefit or the Canada Emergency Student Benefit, will be unable to do so until further notice. 

The agency said Saturday that as of Aug. 14, about 5,500 accounts had been affected by the separate attacks. 

"The CRA quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of the taxpayer's information," CRA spokesperson Christopher Doody wrote in an email. "The CRA is continuing to analyze both incidents. Law enforcement assistance has been requested from RCMP and an investigation has been initiated."

Canadians attempting to log in to their Canada Revenue Agency accounts are met with a message informing them that they will not be able to access their accounts until further notice. (CBC News)

The admission came after repeated inquiries from CBC News after CBC noticed a pattern of similar hacks occurring over the past two weeks. 

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.

Attacks based on reused usernames, passwords

The incidents are a type of attack known as "credential stuffing," the Treasury Board's Office of the Chief Information Officer shared in a statement.

"These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts."

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

"Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity," the statement read.

Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered. 

WATCH | Thousands of CRA accounts hacked in cyberattack: 

Thousands of CRA accounts hacked in cyberattack

4 years ago
Duration 2:01
The Canada Revenue Agency has shut down its online services after 5,500 people had their CRA accounts hacked. Experts say the thieves are after emergency funds meant for pandemic relief, but there are doubts about CRA's claim that people's password habits made them vulnerable.

CERB fraud not uncommon

In an email sent to CBC News days before the CRA publicized the attacks, the agency said there is typically an uptick in fraudulent activity at the beginning of each CERB pay period. The most recent period started Aug. 2.

The Canadian Anti-Fraud Centre has already received more than 700 reports of identity fraud connected to the federal emergency response benefit. Resolving a fraud attempt can sometimes be a lengthy process for victims that can see them frozen out of receiving other benefits until their accounts are restored.

The RCMP has confirmed that its National Division, which investigates "sensitive, high profile cases that threaten Canada's political, economic and social integrity," is actively looking into the attacks. The Office of the Privacy Commissioner of Canada is also monitoring the situation.

The CRA said it is sending letters to those affected by the incidents, explaining how to confirm their identity to regain control of their accounts. Individuals phoning the agency for help can select the "report suspected fraud or identity theft" option to fast-track their call.

Canada's cyber intelligence agency recommends that anyone affected by the breach update their passwords immediately and choose something they will not use for any other account.