Thousands of Canadian citizens are at risk of identity fraud after cyber-criminals used stolen log-ins to access government services in their name, including COVID-19 relief funds.
A statement from the Treasury Board of Canada Secretariat on Saturday revealed that the attackers had used tried-and-tested credential stuffing techniques to hijack GCKey and Canada Revenue Agency (CRA) accounts.
GCKey is used by 30 federal agencies to provide Canadians with services like Employment and Social Development Canada’s My Service Canada account and Immigration, Refugees and Citizenship Canada accounts.
The government claimed that 9041 users were affected by the campaign, and in a third of cases services were accessed illegally. Around 5500 CRA accounts were targeted by this and a separate credential stuffing attack on the tax office, it added.
Although the number of affected accounts are a small proportion of the 12 million active GCKey accounts in Canada, the raid comes at a time when many are in need of government support to get them through the current financial and healthcare crisis.
Local reports claimed that some of the victims have already been defrauded after attackers successfully applied for the $2000-per-month Canada Emergency Response Benefit (CERB) for COVID-19.
“Affected GCKey accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey,” the government statement noted.
“The government is continuing its investigation, as is the RCMP to determine if there have been any privacy breaches and if information was obtained from these accounts. As well, the Office of the Privacy Commissioner has been contacted and alerted to possible breaches.”
The government urged Canadians to always use unique passwords for their online accounts, but presumably the attackers also succeeded because of insufficient log-in security such as two-factor authentication.