Update from Office of Chief Information Officer of Government Canada on recent cyber attacks

From: Treasury Board of Canada Secretariat

It is important that Canadians can access online government services easily and securely. In early August, the Government of Canada took action to stop “credential stuffing” attacks mounted on the GCKey service and Canada Revenue Agency (CRA) accounts.

As reported previously, attackers used usernames and passwords stolen in previous hacks involving non-governmental third parties to log into some GCKey accounts. The GCKey service itself was not compromised. In response the government revoked 9,300 GCKey credentials and put in place measures to prevent further attempts to access its services with these compromised credentials. These measures blocked subsequent attacks.

As a result of ongoing forensic analysis of these cyber incidents, the CRA has identified suspicious activities occurring between early July and August 15 on approximately 48,500 of the more than 14 million CRA user accounts.

Safeguards have been placed on affected accounts and all valid emergency benefit payments will be issued. The CRA will work with individuals affected by identity theft or fraud to help ensure they are not held liable for fraudulent claims and payments made by fraudsters using their account. Individuals whose accounts have been compromised will be offered credit protection services free of charge.

Service Canada and CRA have taken additional safety measures to protect account holders, such as deactivating the compromised accounts, temporarily removing some online abilities, and adding additional security measures to the account sign-in process. These mitigation measures have proven to be effective.

The Royal Canadian Mounted Police investigation is ongoing and affected departments are also conducting their own investigations. As well, affected departments have been in contact with the Office of the Privacy Commissioner to provide updates on instances where personal information has been compromised. Account holders are being notified in such instances.

In cases where users have experienced suspicious transactions or activity, the government will ensure they are not disadvantaged and, are offered ongoing credit protection and monitoring as needed.

All affected departments have been contacting users whose credentials were revoked to provide instructions on receiving a new GCKey credential. Canadians who received a message about the revocation of their GCKey credential, can re-register for a new one through any of the online services they use. Another option is to use the SecureKey Concierge service which lets users sign in to 269 different Government of Canada online services through sign-in partners, such as major banks.

While the government continues to take action to mitigate attacks and minimize threats, attackers are constantly adjusting their methods. Canadians need to remain vigilant in protecting account information. Users should always use a different password for each online account. Tools such as password managers can help create, store, and remember passwords.

Affected parties are encouraged to review information in all their accounts to make sure nothing has changed. If anything looks out of the ordinary, contact the service provider to let them know. Citizens who fear that they have been the victims of fraud can contact their local police or the Canadian Anti-Fraud Centre.

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.