Over the past two weeks, the Canadian Revenue Agency has suffered from 3 separate cyber security attacks. All 3 attacks were “credential stuffing” where hackers use the email and passwords discovered in other breaches and see if they work for other accounts.
The first attack targeted GCKey accounts, which allow Canadians to access services like Employment Insurance (EI); My Service Canada accounts; Immigration, Refugee and Citizenship Canada accounts; and veterans programs. It is estimated that the hackers were able to access 5,600 CRA My Accounts.
The second attack took place last week when hackers took advantage of a “vulnerability in security software, which allowed (the hackers) to bypass security questions and gain access,” Annette Butikofer, the chief information officer at the CRA, confirmed during a news conference on Monday. The third attack occurred over the weekend, prompting the CRA to suspend online services while it assessed the breach. Links between CRA My Accounts and My Service Canada accounts was also temporarily disabled.
There are two things that are interesting about this breach. The first is that the hacker got in by credential stuffing. The criminals took advantage of usernames and passwords they found on the dark web and because users tend to re-use passwords, they were able to access these government accounts. CTV News interviewed Ann Cavoukian, Ontario’s ex-privacy commissioner, and she told CTV that she thinks the government didn’t do enough to protect Canadian’s sensitive data. Rather than blame Canadians for not using strong passwords, she said the government could have done more to encrypt data. The problem with Cavoukian’s statement is, the hackers didn’t break into the database to steal the data, but rather, they found a key that let them in.
The other interesting thing to come out of this breach, is that there was a vulnerability that allowed the hackers to bypass the security questions. In this, Cavoukian is correct in asserting the government could have done more. If this vulnerability had been patched, then perhaps these accounts may not have been so easily accessed.
So, what can you do if you think your information was breached? Change your passwords, and then ensure you are not re-using those passwords anywhere else. Where possible, implement two-factor authentication to make accessing your data even more difficult.
As for what you can do to make sure your organization doesn’t have to deal with this type of breach? Set-up Dark Web Monitoring so you can know if and when your organizations credentials turn up on the dark web. Ensure passwords are changed on a regular basis and enable two-factor authentication where possible. Regular vulnerability remediation would have also been helpful in this case.
Are you worried that your corporate data or credentials could be for sale on the dark web? Contact Uzado today for a dark web scan.