Cyber Incident Victim: Government of Canada Key

In mid-August 2020, Canadian government systems experienced a coordinated cyberattack targeting the GCKey single sign-on (SSO) portal, which provided access to critical services including immigration, tax, pension, and benefit programs. Attackers employed credential stuffing techniques—automated attempts using previously leaked username-password pairs—to compromise approximately 9,041 GCKey accounts out of 12 million total users. The breach was detected over the weekend of August 15-16, prompting the Office of the Chief Information Office of Canada to issue a public statement. Affected accounts were immediately revoked, with departments initiating contact to guide users through GCKey reissuance procedures. The attackers exploited the absence of multi-factor authentication (MFA) in GCKey workflows, which relied solely on passwords and security questions ("something you know") without secondary verification like SMS codes. Security captchas were also not implemented, enabling automated bot attacks. The GCKey system's integration with over 30 federal departments, including the Canada Revenue Agency (CRA), amplified the attack's reach, with approximately 5,500 CRA accounts compromised through separate but related credential stuffing incidents.

The breach directly facilitated theft of COVID-19 relief funds under the Canada Emergency Response Benefit (CERB), which offered eligible residents up to CA$2,000 per payment. Attackers redirected payments by manipulating CERB applications through compromised "My Service Canada" accounts linked to GCKey. One confirmed case involved Toronto resident Farivar Ahmadzadeh, who reported CA$10,000 fraudulently diverted to unauthorized accounts. While the government did not specify whether all incidents stemmed from credential stuffing or traditional identity theft, the attack exposed systemic vulnerabilities in federated authentication systems. The absence of MFA allowed attackers who obtained credentials to conduct sensitive transactions unimpeded. Response efforts focused on account revocation and user notification, with officials directing concerned citizens to contact the 1-800-O-Canada helpline. No technical countermeasures such as MFA implementation or captcha deployment were detailed in the immediate aftermath. The incident highlighted risks associated with interconnected government portals, where multiple entry points expanded the attack surface without uniform security controls.