"Suspicious activity" detected on over 48,000 CRA accounts following data breach

Accounts were breached thanks to a technique called credential stuffing

"Suspicious activity" detected on over 48,000 CRA accounts following data breach


By Lyle Adriano

The Treasury Board of Canada has detected suspicious activity on over 48,000 Canada Revenue Agency (CRA) accounts after a series of cyberattacks compromised the agency’s systems in recent months.

According to the treasury, the cyberattacks in July and August targeted both the CRA and GCKey, an online portal which allows users to access government services such as employment insurance and immigration services.

It is believed that the malicious actors used a method called credential stuffing in order to gain access to CRA accounts. Credential stuffing involves using usernames and passwords across multiple platforms to abuse accounts that use the same credentials as other accounts that have been previously hacked.

While CRA accounts showed evidence of suspicious activity, the Treasury Board has confirmed that GCKey was not compromised by the malicious actors. However, GCKey has revoked 9,300 credentials for its system as a precaution and is contacting affected users to inform them of how to block later cyberattack attempts.

CBC News reported that those who receive a revocation message can either register for new credentials, or use the SecureKey Concierge for safer, future access.

The Treasury Board has announced that the RCMP’s investigation into the cyberattacks is still ongoing, and that the affected departments have been in contact with the Office of the Privacy Commissioner.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!