Thousands of accounts breached after cyberattacks target CRA

The Canada Revenue Agency (CRA) recently announced it was the target of two separate cyberattacks where about 5,500 consumer accounts were compromised.

On top of that, the login information of over 9,000 accounts was fraudulently acquired and used to try and access government services. Hackers successfully breached one-third of these accounts and the CRA and RCMP are examining them for suspicious activity.

Hackers used usernames and passwords collected from previous data breaches across the world in a “credential stuffing” scheme — a cyberattack where stolen account credentials, typically lists of emails, usernames and passwords, are used to gain access to accounts.

“We all know that a lot of people will use the same username and password across multiple websites,” Kristin Matthews from the Better Business Bureau (BBB) tells NEWS 95.7’s The Todd Veinotte Show. “So, attackers can often use one piece of credential information to unlock multiple accounts.”

According to the federal government’s frequently asked questions page about GCKey, a login method for Canadians accessing government services, users need to be protective about their login credentials.

For instance, users should not share their login information, including usernames, passwords and account recovery details. Users should also memorize their information rather than writing it down; use something meaningful but meaningless to others; change their password every three to six months; refrain from using personal information, like one’s SIN number or name; and sign out when finished with the online service.

If a user’s account has been compromised, Matthews says the first thing they should do is put a credit freeze or fraud alert on their credit report through Equifax or Transunion. A credit freeze prevents anyone from accessing a compromised user’s credit report or scores. A fraud alert flags the user’s account but does not prevent someone from opening new credit in the user’s name.

Next, the user should update their passwords for all of their online accounts. This is important especially if the password for the compromised account was being used for multiple sites.

Then, compromised users should monitor their credit card statements. If an unrecognized charge appears, it should be reported to the user’s bank or credit card issuer immediately.

Finally, users must avoid fake emails. Users should not respond to emails offering help due to an attack. They should also not click on any links or provide any personal information.

Since the CRA’s main form of communication is through email, Matthews says it’s easy for scammers to send a fake email claiming they’re the CRA.

“In that situation, you just want to double, triple, quadruple check that the email is coming from CRA,” she says.

Matthews says the CRA hasn’t confirmed how it’s going to contact the users of accounts that have been compromised but she hopes it’s by phone.

“I really think the most harmful perspective is believing that you’re not at risk of a cyberattack,” she says, “because many cybercriminals do not discriminate and they will target anyone and everyone that they can target.”

According to the CRA’s statement, affected GCKey accounts were cancelled as soon as the threat was discovered. Departments are contacting users whose credentials were affected to provide information on how to receive a new GCKey.

When signing up for GCKey, personal information is protected under the federal Privacy Act. On top of that, encryption is used to transfer users’ data over the internet.

Still, the BBB has tips on how to further protect a user’s login information. For example, users can double their login protection with multi-factor authentication; use a long and creative password; limit the personal information posted on social media; and avoid sensitive activities, like banking, on unsecured public Wi-Fi.

Those with immediate concerns with their GCKey account can call 1-800-O-Canada for more information.