OTTAWA — The Canada Revenue Agency expects online services to be fully restored by Wednesday after hackers used thousands of stolen usernames and passwords to fraudulently obtain government services.
About 5,600 CRA accounts were targeted in what the federal government describes as “credential stuffing” schemes, in which hackers used passwords and usernames from other websites to access Canadians’ revenue agency accounts.
The CRA is one of several government departments hit by the credential-attack, which was detected last Tuesday and only relayed to the public over the weekend.
The federal government confirmed the attack was worse than it thought, with three separate attacks compromising the accounts of 11,200 Canadians.
Marc Brouillard, the federal government’s acting chief information officer, says those who were impacted should take action.
“If you’ve been a victim here, there’s a good chance you are a victim elsewhere, as well. Check your bank accounts, check your social media.”
However, he says relatively few accounts were affected by the breach, considering the overall number of Canadians who use the tax service.
“Not to minimize it, but 9,000 or 11,000 out of 12-million, this was still a pretty sophisticated capacity to identify those accounts. We have thousands of transactions every day on this system, so it is a high-volume system.”
Officials say the RCMP is investigating the breaches.
The suspension of CRA’s online services comes as many Canadians are using the revenue agency’s website to access financial support related to the COVID-19 pandemic.
A senior agency official told a news briefing today that Canadians can still apply for benefit programs by calling 1-800-959-8281.
The government is advising Canadians to use unique passwords for all online accounts and to check for suspicious activity.
The Canadian Anti-Fraud Centre says more than 13,000 Canadians have been victims of fraud totaling $51 million this year. There have been 1,729 victims of COVID-19 fraud worth $5.55 million.