Thousands of Canadians affected by recent cyberattacks on the Canada Revenue Agency and federal government computer systems could be vulnerable to other attacks, warn cybersecurity and privacy experts.
“They have to be very scared if they have another account with the same password,” said Ali Ghorbani, director of the Canadian Institute for Cybersecurity at the University of New Brunswick. “If it doesn’t happen now, it would happen tomorrow.”
Former Ontario privacy commissioner Ann Cavoukian said the risk to those whose accounts were breached shouldn’t be underestimated.
“I don’t think you can exaggerate the risk,” said Cavoukian who is now executive director of the Global Privacy and Security by Design Centre.
“If your information has been compromised then it is in the hands of hackers who could use it for a variety of unintended purposes that you may not be made aware of. It’s the CRA, it’s your financial data and it’s very sensitive information.”
CRA response to hacking
The advice comes after the federal government admitted Monday that hackers accessed the Canada Revenue Agency or GCKey accounts of an estimated 11,200 Canadians in recent days. GCKey is an online portal that allows Canadians to access government services like employment insurance and veterans benefits.
The hackers were able to do things like change bank account information and apply for government benefits, posing as the owner of the account.
The Canada Revenue Agency said Monday it is sending a letter to everyone whose account was hacked. However, in the time it takes for someone to get that letter, those same credentials could be used to strike again if someone has used the same e-mail and password combination for other accounts, said Ghorbani.
Ghorbani said there’s not much Canadians can do about information that has already been compromised — but they can and should change their passwords.
“If I am one of those people, I would basically change all of my passwords across all of the accounts that I have. And this time I would make sure that these passwords are unique and different from each other.
Marc Brouillard, acting chief information officer with the Treasury Board, said the hacking technique, known as “credential stuffing” used e-mail addresses and passwords that had already been compromised.
“The citizens who are worried about identity theft, they already are, they already have been victims,” Brouillard told reporters during a news conference Monday. “The credentials were stolen at some point in the past and these attackers are re-using them.”
WATCH | Security official explains how a ‘credential stuffing’ cyberattack works:
Using the same password for their CRA account that they used for the account that was compromised allowed hackers to get in, he explained.
Ghorbani, whose research focuses on the human element in cybersecurity, said when it comes to cyberattacks it’s not a matter of if but of when.
“Attacks on government or industry will happen regardless because the bad guys are always on the move, finding new ways, new holes to breach and compromise.”
Dark web accounts
Ghorbani said there are an estimated 5 billion compromised accounts out there in the dark web for hackers to use or buy. The dark web is not visible to regular search engines and has a reputation of being a place where you can buy or sell everything from drugs and weapons to stolen data.
“It’s just basically a simple program where they try to log in to millions of accounts using this database information to see which one actually goes through.”
For example, in April the popular videoconferencing platform Zoom was compromised and half a million users credentials ended up on the dark web.
“If I’m a user of Zoom and I’m also using the same password for my CRA account or my bank account, I’m very much at risk now and I’m lucky if I’m not compromised because my information is out there,” said Ghorbani.
Ghorbani said the attacks could have come from anywhere but he suspects they came from outside Canada.
Canadian government officials refused repeatedly Monday to comment on the possible source of the attacks, saying it is under investigation by the RCMP.
Cavoukian said the federal government shouldn’t be blaming those whose data was breached for re-using passwords. Instead, she said, it should have had better protection of its sites.
Canadians who want to know if their accounts were breached should be able to phone or e-mail the government rather than have to wait for a letter, Cavoukian said.
Cavoukian also called on Prime Minister Justin Trudeau to act.
“Someone has to take some responsibility in terms of how this is going to be fixed and, more importantly, how are they going to prevent this from happening in the future. They have to start employing strong encryption. I don’t think they are doing that now.”
Elizabeth Thompson can be reached at firstname.lastname@example.org