Federal authorities were scrambling for answers over the weekend after revealing that hackers used thousands of stolen usernames and passwords to fraudulently obtain government services — with the extent of the damage still unclear.
More than 9,000 hijacked accounts that Canadians use to apply for and access federal services have been cancelled after being compromised in what the Treasury Board of Canada described as “credential stuffing” attacks.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the federal department said in a statement.
The hacked accounts were tied to GCKey, which is used by around 30 federal departments and allows Canadians to access various services such as employment insurance, veterans’ benefits and immigration applications.
One-third of those accounts successfully accessed services before all of the affected accounts were shut down, said the Treasury Board, which is responsible for managing the federal civil service as well as the public purse.
Officials are now trying to determine how many of those services were fraudulent.
The GCKey attack included thousands of Canada Revenue Agency accounts, through which Canadians can access their income-tax records and other personal information as well as apply for financial support related to the COVID-19 pandemic.
A total of 5,500 CRA accounts were targeted through the GCKey attack and an earlier “credential stuffing” scheme, the Treasury Board said.
“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” the Treasury Board said in a statement.
The department did not reveal how many of the CRA accounts were compromised or the cost of the suspected fraud, but said federal officials as well as the RCMP and federal privacy commissioner were conducting separate investigations.
It also did not say how Canadians in receipt of services such as the Canada Child Benefit or Canada Emergency Response Benefit for those affected by COVID-19 would be affected.
Revelations of the GCKey attack follow earlier concerns and reports from some Canadians that they were being targeted by hackers during the pandemic, with some reporting thousands of dollars in CERB payments for which they did not apply.
The government warned Canadians to use unique passwords for all online accounts and to monitor them for suspicious activity.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totalling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million.
Lee Berthiaume, The Canadian Press