In mid-August, cybercriminals targeted the Canada Revenue Agency with two credential stuffing attacks, obtaining the usernames and passwords of 9,041 GCKey accounts, and 5,500 CRA accounts. The fraudsters then used the stolen login credentials to apply for the Canadian Emergency Response Benefit (CERB).
In response to the attack, a statement released by the Office of the Chief Information Officer of the Government of Canada notes that access to all affected accounts has been “revoked” to protect taxpayer information.
The CRA has also temporarily shut down online services on the CRA website, such as My Account, My Business Account, and Represent a Client.
While the federal government’s response was swift, the breach has left many without access to vital support in the aftermath of a devastating global pandemic.
The data breach is just one of many hacks that have emerged since the start of the COVID-19 pandemic. With 90% of security professionals reporting that the volume of attacks they’ve faced has increased during 2020, it’s crucial to understand how breaches like the CRA cyber attack happened to prevent future hacks.
The CRA Cyber Attack: How it Happened
The CRA was first alerted to the scam at the start of August when Canadian citizens reported that their CRA account information had changed without their permission, after receiving notification emails from the CRA.
As one user explained on Twitter: “My wife woke up to multiple emails from Canada Revenue Agency saying she was going to receive a CERB payment and her Direct Deposit information was changed.”
After logging in, the user’s wife found that “everything in her account was completely compromised and changed.”
During the attack, the hackers obtained the login credentials of CRA users from past hacks and used the stolen information to log into the accounts. Once the cyber criminals broke into the system, they changed the direct deposit information to fraud the government into sending support payments to their bank accounts.
Reflecting on the data breach, the Chief Information Officer explained that the credential stuffing attack “took advantage of the fact that many people reuse passwords and usernames across multiple accounts.” In other words, users could have prevented the attack by using strong passwords.
Key Lessons Learned from the CRA Hack
The CRA attack underlines several key lessons that individuals should take to heart to protect their confidential data:
1. Always use a unique password
Using the same password for multiple user accounts means that a fraudster only needs to hack into one account to access them all. Choosing a unique password makes it considerably more difficult for a criminal to break into your account or hijack your personal information.
2. Monitor all personal accounts/email inboxes for suspicious activity
Staying vigilant online and keeping an eye out for suspicious activity is very important for identifying when you've been the victim of a data breach. If someone other than you changes your account information, notify the service provider immediately to tell them the account was compromised.
3. Keep an eye on past hacks
Periodically checking to see if your personal information has been leaked with public resources like haveibeenpwned.com and BreachAlarm can give you a heads-up when you need to change your account password.
How to Protect Your Data from Similar Cyber Threats
Protecting yourself and your data against cyber threats like the CRA cyber attack is all about preparation. You can safeguard against threats like credential stuffing, phishing attempts, and brute force hacks by implementing the following best practices:
1. Create a strong password
Knowing how to create a strong password will make it much more difficult for attackers to guess or brute force your login credentials. Strong passwords are those with a mixture of 8 letters, numbers, and symbols. Try to avoid dictionary words, sequential numbers, birth dates, or easily guessable personal information. If the service offers two-factor authentication, enable it for greater security.
2. Use a password manager
Realistically, if you're managing over five user accounts, it's going to be quite challenging to remember all those passwords yourself. Instead of trying to memorize them, use a password manager to store your passwords securely in an application.
3. Undergo Security Awareness Training
Knowledge is your number one weapon against modern cyber criminals, and undergoing security awareness training will teach you about the latest cyber threats, such as phishing scams, which try to manipulate you into giving up your personal data.
4. Update your devices/software regularly
Hackers look for vulnerabilities in your software to exploit so they can steal your personal information. Regularly updating to the latest OS on a given device patches vulnerabilities so that attackers can't capitalize on them.
5. Don’t store personal data in the cloud
While storing data in the cloud is convenient, it isn't necessarily secure. Most cloud storage providers don't offer encryption for data at rest, which increases the risk of fraud and identity theft.
6. Research COVID-19 related scams
COVID-19 related scams have increased remarkably over the past few months, so it’s vital to scrutinize every email or SMS message that requests you to renew a subscription or update your account details. As a rule, never click on web links from unknown senders (and cross-check links from senders who appear legitimate!).
7. Enable account alerts and notifications
Many services offer you the ability to send you notifications for various activities performed on your account. Enable them and act swiftly if you receive a notification about your account.
Recap
The CRA cyber attack is yet another example of cyber criminals capitalizing on Covid-19 to commit fraud. The good news is that you can mitigate threats like credential stuffing through careful password management and regular security awareness training.
Periodic training will give you the tools to spot and defend against the latest techniques fraudsters are using to steal personal information. Ultimately, the more you know about the types of attacks you’re exposed to, the better you can counter them and protect yourself online.
Want more tips on how to create passwords that are stronger than a mid-80s Arnold Schwarzenegger character? Download the Strong Password Kit for free now!
Protecting your data with a Strong Password Kit
Download this Kit for more password resources.