During the week of August 10, 2020 Government of Canada announced encountering three different cyberattacks, which led to the shutdown of their online services for days.
Here is a breakdown of what happened with the CRA cybersecurity incident.
How Did The CRA Get Hacked?
The officials claimed that the GC keys itself were not compromised.
But, the hackers used a sophisticated cyberattack practice commonly known as “Credential Stuffing” to infiltrate into the CRA
systems.
Cyberattack 1: About 3,400 accounts were targeted through GC Key theft incidents
Cyberattack 2: Attempts were made to gain direct access for about 2000 direct taxpayers accounts (attempts were detected & immediately shut down)
Cyberattack 3: An (undisclosed) cyberattack attempt was made again on Saturday, August 16, 2020, which prompted the officials to shut down the CRA portal completely.
Around 2,800 other accounts were also targeted.
The officials confirmed that this cybersecurity incident might have impacted around 5,600 CRA accounts out of 15 million.
Additionally, the hackers were able to exploit a vulnerability in the security software configuration, which allowed
them to bypass the CRA security questions step and gain access to the CRA accounts.
What Is Credential Stuffing?
Credential stuffing relies primarily on the reuse of the same usernames or account IDs across different online services.
It is one of the most common practices among cybercriminals, where the hackers use previously acquired credentials from other 3rd party data breaches and run it against millions of other accounts and portals.
For Example: If you use the same email address and password for different accounts regardless of if they are mobile apps like Uber, TikTok, Amazon or online applications like Evite, SurveyMonkey or others. If any of these portals were to be breached at any point, the hackers acquire your credential and run it against other digital applications.
If you use the same credentials for more than one application, your vulnerability increases substantially for credential stuffing cyberattacks.
What Are The Steps The Government Of Canada Is Taking After The CRA Cybersecurity Incident?
While the breaches have been contained, services connected to My Account, My Business Account and Represent a Client on the CRA website have been disabled unti
l at least Wednesday, August 19, 2020, as an additional safety measure.
- CRA portal is shut down to prevent the multiplication of the attack.
- Letters will be issued to the affected account holders with steps to enable their CRA accounts.
- The CRA portal will be inaccessible until at least Wednesday, August 19, 2020. However, my business account is accessible as of Monday afternoon.
Read Top 4 Learnings from CRA Cybersecurity incident August 2020.