After temporarily shutting down its online services following crippling cyberattack incidents, the Canada Revenue Agency (CRA) has reopened its online portal.
A series of cyberattacks were recently launched on the CRA, affecting more than 5,500 taxpayer accounts. Those responsible for the cyberattacks stole thousands of usernames and passwords, and then used the information to fraudulently claim on CERB payments in a tactic known as “credential stuffing.” After discovering the breach, the CRA chose to shut down its online services on August 15 as a precautionary measure.
CRA reactivated all of its online services as of August 19, and gave assurances that it has modified its security systems to better protect accounts from similar types of cyberattacks in the future.
“The CRA sincerely regrets the impact that these cyber security incidents has had on Canadians,” the agency said in a statement announcing the reopening of its online services. “CRA personnel, and our partners, have quite literally been working around the clock to combat the recent attacks, to make sure Canadians’ personal information is safe, and to restore access to services on which Canadians rely.”
The agency added that it will be sending a letter to all individuals affected by the cybersecurity incidents, which details how they can restore access to their compromised accounts – which have been suspended in the wake of the breaches. CRA also said that it will be working with federal government partners to monitor the situation and to adjust its security posture as needed.
CRA has recommended that all users activate email notifications so that they will be alerted via email should their taxpayer account address or direct deposit information be changed. The agency has also added a PIN feature to its website, and has recommended that all users change their password due to the breach.
Several security experts have commented that the CRA could do better with improving its cybersecurity.
Plurilock CEO Ian Paterson told IT World Canada that the agency could have prevented credential stuffing by enabling two-factor/multi-factor authentication, as well as implanting a dark web monitoring program to detect compromised credentials.
“While we don’t have a direct line of sight to how they infiltrated the accounts, nor what was stolen, we do know the information was used to claim CERB payments and financial support offered by the federal government to support those people affected financially by COVID-19 closures,” said eSentire vice-president and industry security strategist Mark Sangster. It again demonstrates how criminal elements exploit the uncertainty and confusion orbiting natural disasters and pandemics.
In his statement, Sangster called for the CRA to implement cybersecurity best practices, such as informing employees of phishing attacks, limiting user permissions, ensuring critical assets are updated, and so on. He also recommended that there should be a tiered system for federal cybersecurity standards, wherein security standards increase as the information an organization holds becomes more critical.
While individuals can prevent credential stuffing by using different passwords for all their logins, it can be trickier for organizations and businesses to protect themselves, Darktrace director of enterprise security David Masson told IT World Canada in a comment. Masson suggested that only security solutions that utilize artificial intelligence can protect organizations, “since AI is able to provide full visibility of an entire digital infrastructure.”