Government departments lacked adequate protections to fend off a “sophisticated and co-ordinated” cyberattack that compromised the sensitive information of tens of thousands of Canadians, the federal privacy watchdog has found.
In a report tabled on Feb. 15, privacy commissioner Philippe Dufresne describes how the lapse at the Canada Revenue Agency and Employment and Social Development Canada in summer 2020 allowed hackers to fraudulently collect payments.
The report says the breach of financial, banking and employment data led to numerous cases of fraud and identity theft, including many illicit applications for COVID-19 emergency response benefits.
The investigation found the revenue and employment departments had underestimated the level of identity authentication needed for their online programs and services.
The commissioner also concluded the departments did not take the necessary steps to promptly detect and contain the breach.
Both organizations have agreed to implement recommendations aimed at ensuring efficient safeguards against attacks, rapid response to breaches and regular security assessments.
“Federal government departments and agencies are attractive targets for cyberattacks and must have robust safeguards to mitigate against breaches and protect the sensitive personal information and programs that they manage,” Mr. Dufresne said in a statement.
“If a breach does occur, it is crucial that organizations act promptly to remedy the situation and prevent further damage to those affected.”
The commissioner found that attackers used, among other things, the revenue agency’s sign-in portal and ESDC’s “GCKey” authentication service to get into their online services and access individuals’ accounts using stolen login information and passwords obtained during previous breaches.
Attackers used a technique known as credential stuffing, allowing them to access, modify and create new online accounts in these stolen identities to fraudulently redirect government benefit payments to other bank accounts, the report says.
It also notes challenges the commissioner faced in the form of “delayed and missing breach reports and accessing information from departments during the investigation.”
“Unnecessary delays can increase harms flowing from a breach and hinder the investigative process,” the report says.
In addition, the commissioner’s office is following up with the revenue agency on separate breaches regarding Canada Emergency Response Benefit fraud in 2020, which it learned about in the final stages of the initial investigation.
Preliminary information indicates 15,000 individuals may have been affected.
Notwithstanding these concerns, the office says it is encouraged by the commitment from both the revenue and employment departments to implement the recommendations.
“We will expect all government departments to consider the lessons from this report in reducing the probability of a future breach of this magnitude.”