Cyber Incident Victim: Canada Revenue Agency
Date:
Jun 2022
Location:
Canada
Summary
A global cyberattack exploiting a vulnerability in the MOVEit secure file transfer software impacted multiple organizations, including the Canada Revenue Agency. The breach, attributed to the Cl0p ransomware group, compromised sensitive data across various entities; while the agency stated stolen information was either publicly available or encrypted and inaccessible, other victims experienced exposure of banking details, health claim summaries, and personal identifiers. The incident affected hundreds of thousands of individuals through supply chain compromises involving subcontractors and service providers, with delayed confirmations of data exfiltration prompting external investigations. Mitigation efforts included credit monitoring services for affected parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Canada Revenue Agency (CRA) was implicated in a global data breach stemming from a vulnerability in the MOVEit secure file transfer software, exploited by the cybercriminal group Cl0p in June 2022. The breach impacted multiple organizations worldwide, with the Cl0p ransomware gang exfiltrating data from unpatched MOVEit Transfer servers. The CRA confirmed its systems were affected during this incident, though it asserted that compromised data consisted either of publicly available information or encrypted files rendered unreadable without decryption keys. This disclosure came during summer 2023 when the CRA provided assurances to CBC regarding the limited sensitivity of exposed data. The breach's global scale affected over 60 million individuals according to cybersecurity firm Emsisoft, with the CRA among numerous government and private sector entities compromised through third-party vendors using MOVEit software.
Other Canadian organizations experienced more severe impacts from the same breach. The Commission de la construction du Québec (CCQ) confirmed on October 13, 2022, that personal data of 250,000 construction workers enrolled in its Medic Construction health plan had been stolen, including bank account numbers and healthcare claim summaries. The breach originated from their insurance provider Green Shield Canada's compromised MOVEit system. Similarly, insurer Beneva suffered data exposure through accounting firm EY's compromised MOVEit transfers, potentially exposing birthdates, salaries, medical conditions, and pension amounts. Ontario's BORN birth registry lost health data on 3.4 million mothers and children. While the CRA maintained its breach consequences were limited, these parallel incidents demonstrate the attack's broad reach across healthcare, financial, and government sectors through supply chain vulnerabilities. All affected organizations implemented notification procedures and credit monitoring services, with CCQ offering 24-month Equifax surveillance programs comparable to Desjardins' 2019 breach response.