The Canadian Revenue Agency (CRA) has temporarily shut down its online services after it was struck by two cyberattacks – attacks that allowed hackers to obtain the information of thousands of accounts registered with the agency.
The agency said that as of August 14, 2020, about 5,500 accounts had been affected by the two attacks.
“The CRA quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of the taxpayer’s information,” a spokesperson for the agency said in an email. “The CRA is continuing to analyze both incidents. Law enforcement assistance has been requested from RCMP and an investigation has been initiated.”
Following confirmation of the attack, CRA disabled online services on its website, namely access to the My Account, My Business Account, and Represent a Client options.
CRA’s admission comes after reports over the past two weeks that some Canadians found several details of their CRA account were changed without their knowledge. Some said that their email and direct deposit information had been changed, with others finding that CERB payments had been issued in their name even though they had not applied for the benefit.
The mayor of View Royal, David Screech, was one of the more high-profile victims of the data breach. Hackers attempted to claim $4,000 under the mayor’s name, hoping to deposit the payout in a bank account the malicious actors controlled.
A statement from the Treasury Board’s Office of the Chief Information Officer explained that the breach was due to a type of cyberattack called “credential stuffing.”
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the Office explained.
In addition to CRA accounts, accounts associated with GCKey – a portal that allows Canadians to access government services online – were also hacked, CBC News reported. About 9,041 GCKey users were affected, and their data was used to fraudulently access government services, a statement from the Office of the Chief Information Officer said.