Authorities assure Canadians that the breaches have been contained
The Canada Revenue Agency (CRA) has suspended its online services after a series of cyberattacks that involved the use of stolen personal information.
Over the weekend, the federal government said that it had temporarily halted access to CRA and GCKey accounts after 11,200 accounts were targeted by “credential stuffing” schemes – massed automated attacks that use passwords and other user information from elsewhere in the Internet to fraudulently access user accounts.
The government said that it is hoping to reopen access within the week, assuring users that the security loopholes that paved the way for the attacks have been addressed.
“The bad actors were able to use the previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability in the configuration of security software… which allowed them to bypass the CRA security questions and gain access to a user’s CRA account,” said Treasury Board of Canada Secretariat Marc Brouillard.
“Because of the systems that we have in place, we were able to detect these attacks early on and have been largely been able to mitigate the impact to Canadians,” Brouillard said in a Monday briefing, as quoted by CBC News.
However, scams targeting Canadians’ financial information are seeing increased incidence during the COVID-19 pandemic, making government assurances ring somewhat hollow.
In a recent CBC News report, British Columbia single mother Tara McWilliams said that neither the CRA nor the provincial government have taken any concrete action regarding fraudulent CERB payments totalling $4,000.
The payments issued in McWilliams’s name reportedly stemmed from unauthorized access to her CRA account.
“I’ve reported to a lot of people. It’s been a lot of hours, I’ve missed two full days of work over it and still it’s not resolved,” McWilliams said earlier this month. “I just want this resolved and I don’t want this to happen to anybody else.”