The federal government’s top IT officer says that last week’s credentials stuffing hack of 11,000 tax and service accounts of Canadians does not mean its systems failed to protect people’s information.
Related:
Thousands of government service and CRA accounts hit by credential stuffing attack
“I would argue, no,” Marc Brouillard, acting chief information officer, told reporters during a press briefing this morning. “Quite the opposite. The system worked. We were able to identify these fraudulent actions coming in through some pretty sophisticated analytics that detected [suspicious] behaviours. From a systems perspective, this is a person trying to log into the system and our tools were able to detect those patterns that were suspicious and identify those that were not valid.
“Once those accounts were identified as potentially compromised, that’s when the system jumped into action and disabled accounts.
“It’s important to know when we’re watching those systems we’re not affecting valid users,” he added. “It’s always a complicated matter to analyze that traffic and make sure we’re detecting true malicious intent versus people just forgetting their passwords.”
When it was pointed out that attempts were detected, but thousands of accounts were still compromised, Brouillard replied, “Not to minimize it, but 11,000 of 12 million [accounts]” were compromised. “This was still a pretty sophisticated capacity to identify those accounts. We have thousands of actions every day on these systems, so it is a high-volume system.”
Asked why the government didn’t implement two-factor authentication long ago for all external user logins, Brouillard acknowledged some 2FA systems would have stopped these attacks, particularly those requiring users have a USB key or a device that generates the second factor. “However, that is something that is challenging. Not everyone can have those things. We also have to worry about making our systems accessible and easy to use. It is a balancing act. We are looking at different technologies. Where multi-factor is available, we are encouraging it, and we’re at ways to strengthen our systems to be able to address these issues.”
Hackers got into two systems:
- The GCKey service, which Canadians use to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. About 9,000 of 12 million active accounts and about one-third were compromised. The GCKey service is now back online. Among the changes quickly introduced in the wake of the attack, the government has added a Captcha-like system to those trying to log in. Because of the systems, the attacks were detected early and “largely” mitigated, said Brouillard.
- The Canada Revenue Agency (CRA), which handles income and business tax accounts. Online access to the CRA system is not expected to be restored until Wednesday when additional security systems are added.
The technical briefing also added one new piece of information about the attacks. The CRA attack hackers were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass CRA security questions and gain access to a user’s CRA account. This vulnerability was patched, and the risk of this attack vector has been mitigated, Brouillard said. He refused to give more details.
Brouillard also said the RCMP was notified on Aug. 11 of the cyberattacks, but Canadians didn’t find out about them until the weekend.
Annette Butikofer, the CRA’s chief information officer, said the credentials-stuffing attack on CRA was made up of three stages and involved about 5,600 of the agency’s 15 million accounts. The first attacks involved about 3,600 CRA accounts related to GCKey accounts. (UPDATE: After this story was filed the government said this first incident occurred August 5th.) The second involved an attempt to access 2,000 taxpayer accounts directly through the CRA portal. This attack was detected and immediately shut, she said. The third incident began early on Aug. 15 with a large amount of traffic from a botnet. After being discovered, the portal was closed and will remain closed until the middle of the week.
When service is restored, Butikofer “strongly” recommends users of the CRA MyAccount online service enable email notifications, which signals users if their address or deposit information has been changed by someone. She also noted taxpayers have the option of creating a unique PIN number for added security when calling the agency.
Meanwhile, online access has been restored for organizations using the MyBusiness service for COVID wage subsidies.
Brouillard and other senior officials who spoke during the briefing stressed that the attacks were successful because hackers used credentials that had been stolen or bought from previous cyberattacks elsewhere, credentials that residents also used on their government accounts. “Credential stuffing takes advantage of a common weak-point,” Brouillard said. “The tendency of many users is to re-use their passwords.”
Asked by a reporter why the government doesn’t use a system that alerts external users they are using a password that has been identified as stolen in other attacks, Brouillard said the government is always looking at new technology.
Butikofer also said the credentials of CRA users impacted by the hacks have been revoked. Each victim will receive a letter from CRA explaining how to confirm their identity to restore online access. The link between CRA accounts and Service Canada accounts has been temporarily disabled to prevent an attacker from using access from one system to get into another.
UPDATE: Access to all CRA accounts was restored August 19th by 5 p.m.