CRA expects online services back Wednesday following cyberbreaches

OTTAWA โ€” The Canada Revenue Agency expects online services to be fully restored by Wednesday after fraudsters used thousands of pilfered usernames and passwords to obtain government services.

About 5,600 CRA accounts were targeted in what the federal government describes as "credential stuffing" schemes, in which hackers used passwords and usernames from other websites to access Canadians' revenue agency accounts.

The suspension of CRA's online services comes as many Canadians are relying on the revenue agency's website to access financial support related to the COVID-19 pandemic.

People can still apply for benefit programs including the Canada Emergency Student Benefit and the Canada Emergency Response Benefit by calling 1-800-959-8281, said Annette Butikofer, chief information officer of the revenue agency. 

In addition, employers can apply for the latest wage subsidy as planned, she said during a briefing Monday on the cyberattacks.

"We know employers are counting on these funds."

The government is advising Canadians to use unique passwords for all online accounts and to check for suspicious activity.

Federal officials have been grappling for the last week with the credential stuffing attacks, made possible through information that was previously stolen from non-government accounts.

The technique, often beginning with huge caches of usernames and passwords found in the darker reaches of the Internet, takes advantage of peoples' tendency to reuse passwords.

Fraudsters then use automated web bots to hammer websites with various credentials until they hit upon the right combination and get in, said Marc Brouillard, acting chief information officer of Canada.

Once in, the attacker can take over these accounts and steal personal information or undertake activities as that user, he told the briefing.

The first of three attacks in the last week took aim at the GCKey service, which is used by about 30 federal departments and allows Canadians to access services like the My Service Canada account.

By using the previously stolen usernames and passwords, the perpetrators were able to fraudulently acquire about 9,000 of the some 12 million GCKey accounts, one-third of which accessed federal services and are being further examined for suspicious activities, Brouillard said.

Affected GCKey accounts were cancelled, and the government is contacting users whose credentials were compromised with instructions on how to obtain a new GCKey.

Separately, CRA's system was hit by credential stuffing attacks. The perpetrators were able to use previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability that allowed them to bypass the CRA security questions and get into thousands more accounts.

In addition, early Saturday morning, the CRA portal was directly targeted with a large amount of traffic trying to attack the services through credential stuffing.

"Out of an abundance of caution the CRA portal was shut down to contain the attack and implement measures to protect CRA services," Brouillard said.

Credential stuffers are difficult to detect because they are not trying to sneak through a back door, he said.

"They are applying credentials just like normal users. So it's very hard to detect that pattern from all of the good traffic. But we have systems to monitor and look for these behaviours and identify when patterns don't seem to make sense and that's how this particular (attack) was identified."

The government is looking at greater use of two-factor authentication, where a user trying to log in to a system enters not only a password but receives a message with a code or link they must act on before being allowed in.

But putting this in place for all programs could be challenging, Brouillard suggested.

"We also have to worry about making our systems accessible and easy to use, so it is a balancing act," he said. "We're looking at ways of strengthening our systems to be able to address these issues."

Several federal agencies are investigating the incidents and since their work is ongoing, nothing will be said about the suspected perpetrators, said Scott Jones, head of Canadian Centre for Cyber Security.

The RCMP was notified of unusual activity Tues., Aug. 11, Butikofer said.

"The confidence and trust that individuals and businesses have in the CRA are the cornerstones of Canada's tax system," she said.

She said the revenue agency's teams have been "working around the clock to resolve these issues and protect the confidential information of Canadians."

Accounts of affected individuals have been revoked and letters have been sent to these people, she added.

Asked during the briefing if the government would apologize, Brouillard sidestepped the question.

"It's not a matter of being sorry or not sorry," he said. "Of course, this is not something we want to happen. But we are reacting to those attackers and addressing them and mitigating those services as much as possible. And that does include supporting Canadians."

An expression of regret did, however, come from Lori MacDonald, chief operating officer at Service Canada.

"Certainly we apologize for any inconvenience on behalf of the government of Canada caused to any of our clients," she told the briefing.

All CRA My Account users are encouraged, once services have been reactivated, to enable email notifications as a security measure, Butikofer said. This allows taxpayers to be contacted by email if their address or direct-deposit information has been changed on CRA records.

"These notifications act as an early warning to Canadians of potentially fraudulent activity on their accounts."

This report by The Canadian Press was first published Aug. 17, 2020.

Jim Bronskill, The Canadian Press