Cyber Incident Victim: Canada Revenue Agency
Date:
Aug 2020
Location:
Canada
Summary
The Canada Revenue Agency experienced two credential stuffing cyberattacks compromising approximately 5,500 accounts linked to its online tax platforms and 9,041 GCKey government service portals, exploiting credentials reused from prior breaches. Services including taxpayer accounts and emergency benefit applications were temporarily disabled as a precaution; attackers altered email addresses and direct deposit information to fraudulently obtain COVID-19 relief payments. The agency contained the breaches, disabled impacted accounts, initiated RCMP investigations, and notified affected individuals to regain account access through identity verification processes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early August 2020, the Canada Revenue Agency (CRA) experienced two separate cyberattacks compromising thousands of online accounts. The attacks exploited credential stuffing techniques, where attackers used previously stolen usernames and passwords from unrelated global breaches to access CRA systems, capitalizing on password reuse by users. By August 14, approximately 5,500 CRA accounts linked to My Account, My Business Account, and Represent a Client services were confirmed compromised. Attackers altered email addresses and direct deposit information associated with these accounts, fraudulently applying for Canada Emergency Response Benefit (CERB) and Canada Emergency Student Benefit payments without account holders’ knowledge. Affected individuals began receiving legitimate CRA notifications about email discontinuations, alerting them to unauthorized changes. Concurrently, 9,041 GCKey accounts—a portal used to access approximately 30 federal services—were also breached, with one-third of those successfully accessing government services triggering further scrutiny. The CRA proactively disabled all affected accounts upon discovery and temporarily shut down its online services, including critical COVID-19 benefit applications, to contain the breaches.
The CRA initiated an investigation with RCMP assistance and implemented identity verification protocols for impacted users. Letters were dispatched to guide account recovery, while call centers prioritized cases through a dedicated fraud reporting option. The Treasury Board’s Office of the Chief Information Officer confirmed the credential stuffing methodology, noting attackers leveraged credentials from prior third-party breaches. Service disruptions persisted during the shutdown, preventing legitimate users from applying for emergency benefits or accessing tax services. No additional attacker motives or identities were disclosed. The incident underscored vulnerabilities in password reuse across government platforms, affecting over 12 million active GCKey users. Cybersecurity authorities advised password updates without reusing credentials elsewhere, though no systemic data exfiltration beyond account takeovers was confirmed. Restoration timelines for full service resumption remained unspecified at the time of reporting.