A cyber-attack has led to thousands of stolen user-names and passwords Canadians use to obtain Federal Government services — with the extent of the damage still unclear.
More than 9,000 hijacked accounts have been cancelled after being compromised in what the Treasury Board of Canada described as “credential stuffing” attacks.
In a statement, the Treasury Board said the attacks, which used passwords and user-names collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and user-names across multiple accounts.
The hacked accounts were tied to GCKey, which is used by around 30 Federal Departments and allows Canadians to access various services such as employment insurance, veterans’ benefits and immigration applications.
The Treasury Board, which is responsible for managing the Federal Public Service as well as the public purse, said one third of the hacked accounts successfully accessed services before all of them were shut down.
Officials are now trying to determine how many of those services were fraudulent.
The GCKey attack included thousands of Canada Revenue Agency (CRA) accounts, through which Canadians can access their income-tax records and other personal information as well as apply for financial support related to the COVID-19 pandemic.
“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” the statement said.
The Treasury Board did not reveal how many of the CRA accounts were compromised or the cost of the suspected fraud, but said Federal officials, as well as the police and Federal Privacy Commissioner, were conducting separate investigations.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totaling $C51 million ($A53.5 million) this year.
It said there had been 1,729 victims of COVID-19 fraud worth $C5.55 million ($A5.82 million).
Ottawa, 18 August 2020
