Skip to main content
The Globe and Mail
Support Quality Journalism
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); }

A person looks at the Canada Revenue Agency homepage on a computer in Montreal, on Aug. 16, 2020.

Graham Hughes/The Canadian Press

The Canada Revenue Agency expects online services to be fully restored by Wednesday after fraudsters used thousands of pilfered usernames and passwords to obtain government services.

About 5,600 CRA accounts were targeted in what the federal government describes as “credential stuffing” schemes, in which hackers used passwords and usernames from other websites to access Canadians’ revenue agency accounts.

The suspension of CRA’s online services comes as many Canadians are relying on the revenue agency’s website to access financial support related to the COVID-19 pandemic.

Story continues below advertisement

People can still apply for benefit programs including the Canada Emergency Student Benefit and the Canada Emergency Response Benefit by calling 1-800-959-8281, said Annette Butikofer, chief information officer of the revenue agency.

In addition, employers can apply for the latest wage subsidy as planned, she said during a briefing Monday on the cyberattacks.

“We know employers are counting on these funds.”

The government is advising Canadians to use unique passwords for all online accounts and to check for suspicious activity.

The Canada Revenue Agency expects its online services to be fully restored by Wednesday after fraudsters used thousands of stolen usernames and passwords to obtain government services. About 5,600 CRA accounts were targeted in what the federal government describes as "credential stuffing" schemes, in which the fraudsters use identifiers and passwords from other websites to access Canadians' accounts with the revenue agency. The Canadian Press

Federal officials have been grappling for the last week with the credential stuffing attacks, made possible through information that was previously stolen from non-government accounts.

The technique, often beginning with huge caches of usernames and passwords found in the darker reaches of the internet, takes advantage of peoples’ tendency to reuse passwords.

Fraudsters then use automated web bots to hammer websites with various credentials until they hit upon the right combination and get in, said Marc Brouillard, acting chief information officer of Canada.

Story continues below advertisement

Once in, the attacker can take over these accounts and steal personal information or undertake activities as that user, he told the briefing.

The first of three attacks in the last week took aim at the GCKey service, which is used by about 30 federal departments and allows Canadians to access services like the My Service Canada account.

By using the previously stolen usernames and passwords, the perpetrators were able to fraudulently acquire about 9,000 of the some 12 million GCKey accounts, one-third of which accessed federal services and are being further examined for suspicious activities, Mr. Brouillard said.

Affected GCKey accounts were cancelled, and the government is contacting users whose credentials were compromised with instructions on how to obtain a new GCKey.

Separately, CRA’s system was hit by credential stuffing attacks. The perpetrators were able to use previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability that allowed them to bypass the CRA security questions and get into thousands more accounts.

In addition, early Saturday morning, the CRA portal was directly targeted with a large amount of traffic trying to attack the services through credential stuffing.

Story continues below advertisement

“Out of an abundance of caution the CRA portal was shut down to contain the attack and implement measures to protect CRA services,” Mr. Brouillard said.

Credential stuffers are difficult to detect because they are not trying to sneak through a back door, he said.

“They are applying credentials just like normal users. So it’s very hard to detect that pattern from all of the good traffic. But we have systems to monitor and look for these behaviours and identify when patterns don’t seem to make sense and that’s how this particular [attack] was identified.”

The government is looking at greater use of two-factor authentication, where a user trying to log in to a system enters not only a password but receives a message with a code or link they must act on before being allowed in.

But putting this in place for all programs could be challenging, Mr. Brouillard suggested.

“We also have to worry about making our systems accessible and easy to use, so it is a balancing act,” he said. “We’re looking at ways of strengthening our systems to be able to address these issues.”

Story continues below advertisement

Several federal agencies are investigating the incidents and since their work is ongoing, nothing will be said about the suspected perpetrators, said Scott Jones, head of Canadian Centre for Cyber Security.

The RCMP was notified of unusual activity Tues., Aug. 11, Ms. sButikofer said.

“The confidence and trust that individuals and businesses have in the CRA are the cornerstones of Canada’s tax system,” she said.

She said the revenue agency’s teams have been “working around the clock to resolve these issues and protect the confidential information of Canadians.”

Accounts of affected individuals have been revoked and letters have been sent to these people, she added.

Asked during the briefing if the government would apologize, Mr. Brouillard sidestepped the question.

Story continues below advertisement

“It’s not a matter of being sorry or not sorry,” he said. “Of course, this is not something we want to happen. But we are reacting to those attackers and addressing them and mitigating those services as much as possible. And that does include supporting Canadians.”

An expression of regret did, however, come from Lori MacDonald, chief operating officer at Service Canada.

“Certainly we apologize for any inconvenience on behalf of the government of Canada caused to any of our clients,” she told the briefing.

All CRA My Account users are encouraged, once services have been reactivated, to enable e-mail notifications as a security measure, Butikofer said. This allows taxpayers to be contacted by e-mail if their address or direct-deposit information has been changed on CRA records.

“These notifications act as an early warning to Canadians of potentially fraudulent activity on their accounts.”

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies