Canada Revenue Agency Credential Stuffing Attack

From Privacy Wiki
Jump to navigation Jump to search
Canada Revenue Agency Credential Stuffing Attack
Short Title Credential Stuffing Attack Compromises Government Employees Accounts and Citizen Tax Information
Location Canada
Date August 2020

Solove Harm Insecurity
Information Identifying, Professional, Transactional
Threat Actors Canadian government

Affected Taxpayers in Canada, Governmental employees in Canada
High Risk Groups Employees
Tangible Harms

In August 2020 the Canadian government has confirmed a credential stuffing attack that compromised government employee accounts and citizen tax information.


A relatively small credential stuffing attack successfully hit the Canadian government in August 2020 compromising thousands of accounts in both the Canada Revenue Agency (CRA) and the public-facing GCKey service (Government of Canada's online services). In total, about 14,500 accounts were compromised with a more limited amount used to access government services for purposes of fraud. This is an example of Insecurity.

Highly sensitive financial and other personal information was exposed to the attackers.

GCKey is used across multiple Canadian government departments and allows citizens to access a variety of different services: unemployment insurance claim, pension plan management, accounts for immigrants and refugees to navigate legal obligations and social services, passport and visa services among other options.

The accounts that were breach appear to be those that were using username and password combinations that were exposed in other breaches of unknown origin.


Threat: Government not protecting tax payers and its employees personal information from improper access
At-Risk group: taxpayers and governmental employees
Harm: Insecurity
Secondary Consequences: not known

Laws and Regulations