Canada Revenue Agency Credential Stuffing Attack
| Canada Revenue Agency Credential Stuffing Attack | |
|---|---|
| Short Title | Credential Stuffing Attack Compromises Government Employees Accounts and Citizen Tax Information |
| Location | Canada |
| Date | August 2020 |
| Solove Harm | Insecurity |
| Information | Identifying, Professional, Transactional |
| Threat Actors | Canadian government |
| Individuals | |
| Affected | Taxpayers in Canada, Governmental employees in Canada |
| High Risk Groups | Employees |
| Tangible Harms | |
In August 2020 the Canadian government has confirmed a credential stuffing attack that compromised government employee accounts and citizen tax information.
Description
A relatively small credential stuffing attack successfully hit the Canadian government in August 2020 compromising thousands of accounts in both the Canada Revenue Agency (CRA) and the public-facing GCKey service (Government of Canada's online services). In total, about 14,500 accounts were compromised with a more limited amount used to access government services for purposes of fraud. This is an example of Insecurity.
Highly sensitive financial and other personal information was exposed to the attackers.
GCKey is used across multiple Canadian government departments and allows citizens to access a variety of different services: unemployment insurance claim, pension plan management, accounts for immigrants and refugees to navigate legal obligations and social services, passport and visa services among other options.
The accounts that were breach appear to be those that were using username and password combinations that were exposed in other breaches of unknown origin.
Breakdown
Threat: Government not protecting tax payers and its employees personal information from improper access
At-Risk group: taxpayers and governmental employees
Harm: Insecurity
Secondary Consequences: not known