December 23, 2024

Nearly 13,000 Canadians potentially victims of CERB fraud after hackers accessed CRA accounts in 2020

Canadians #Canadians

Breadcrumb Trail Links

A retired B.C. police officer is now leading a class-action lawsuit against the federal government linked to the massive data breach of the CRA’s login system

A page on the federal government's Canada Emergency Response Benefit (CERB) website in 2020. A page on the federal government’s Canada Emergency Response Benefit (CERB) website in 2020. Photo by Peter J. Thompson/National Post/File Article content

OTTAWA — Hackers fraudulently applied for COVID-19 financial benefits on behalf of 12,700 unsuspecting Canadians after a cyber attack on Canada Revenue Agency’s online system in 2020, court documents reveal.

Advertisement 2

This advertisement has not loaded yet, but your article continues below.

Article content

Thousands of Canadians were stunned to find out in the summer of 2020 that their credentials to login to sensitive online government services like CRA’s MyCRA portal had been compromised by hackers.

By clicking on the sign up button you consent to receive the above newsletter from Postmedia Network Inc. You may unsubscribe any time by clicking on the unsubscribe link at the bottom of our emails. Postmedia Network Inc. | 365 Bloor Street East, Toronto, Ontario, M4W 3L4 | 416-383-2300 Thanks for signing up!

Article content

The government initially thought that 5,500 CRA accounts had been potentially compromised through two cyber attacks. Both were tied to “credential stuffing” incidents in which hackers try to login to websites illegally on victims’ behalf using troves of stolen credentials.

One month after the CRA hack, the government admitted that forensic analysis revealed “suspicious activities” on 48,500 accounts, nearly 10 times more than first suspected.

A federal court ruling last week reveals for the first time the scope of the hackers’ success. Over nearly two weeks, fraudsters changed the taxpayer’s direct deposit banking information and then “fraudulently” applied for the $2,000-per-month Canada Emergency Response Benefit (CERB) on 12,700 different MyCRA accounts.

Advertisement 3

This advertisement has not loaded yet, but your article continues below.

Article content

The ruling does not reveal the total value of fraudulent benefit claims related to the breach. But just one $2,000 CERB payment for each of the 12,700 victims is worth $25.4 million.

  • Marc Brouillard, CTO for the Government of Canada, joins fellow senior officials from the Treasury Board of Canada Secretariat, the Canada Revenue Agency, and the Canadian Centre for Cyber Security to provide an update regarding the recent cyberattacks against GCKey and CRA accounts during a technical briefing on Parliament Hill in Ottawa on Monday, Aug. 17, 2020. Cyberattack on CRA disables thousands of accounts
  • Privacy Commissioner of Canada Daniel Therrien. Privacy commissioner to investigate ‘shocking’ potential privacy breach of dozens of CRA whistleblowers
  • None Barely one in 10 Canadians worried about cyber attacks and that concerns authorities
  • One of the hackers victims was Todd Sweet, who found out when he logged into his Canada Revenue Agency account back in 2020 that not only had criminals stolen his data, but fraudulently applied for COVID-19 emergency benefits four times.

    Now, the retired B.C. police officer is leading the charge with a class-action lawsuit against the federal government linked to the massive data breach of the CRA’s login system that compromised the data of thousands of Canadians.

    Advertisement 4

    This advertisement has not loaded yet, but your article continues below.

    Article content

    The complainants say that the government’s “system negligence” to protect their data cost them dearly, such as: damage to their credit score, mental distress, identify theft, credit card fraud and “time lost in communication with the CRA.”

    Late last week, the Federal Court ruled that the class-action lawsuit was certified and could go forward.

    The same summer, another credential stuffing attack was successfully conducted against the government’s “GCKey” login system, which allows access to My Service Canada Accounts and is used by 30 government departments, including the RCMP and Immigration Canada.

    The Federal Court ruling reveals that nearly 6,000 accounts were potentially compromised, and that hackers managed to fraudulently apply for CERB and other COVID-19 financial benefits through 1,200 of them before their access was cut off.

    Advertisement 5

    This advertisement has not loaded yet, but your article continues below.

    Article content

    CRA declined to comment on the lawsuit. According to the ruling, the agency argued that the complainants, represented by law firm Rice Harbut Elliott, did not demonstrate any systemic negligence on its part.

    In a statement, the agency said it has beefed up its cyber-defence systems since the breaches, including adding multi-factor authentication and immediately locking an account if the agency believes it is compromised.

    “No organization is immune to cyber incidents or fraudulent activity. This is why the CRA has robust systems and tools in place to monitor, detect, investigate and quickly neutralize potential threats. As scammers adapt their practices, so does the CRA. We regularly adjust and improve our security measures in response to this ever evolving threat environment and continuing intrusion attempts,” CRA spokesperson Etienne Biram said in an email.

    Advertisement 6

    This advertisement has not loaded yet, but your article continues below.

    Article content

    “We are committed to assisting individuals affected by fraud or identity theft, and have dedicated teams to promptly address any matters when they arise.”

    But that isn’t Sweet’s experience. In an affidavit to court in support of the lawsuit, Sweet says he received an email from CRA in July 2020 telling him his email had been removed from his MyCRA account. When he logged in to check why, he discovered that his direct deposit information had been changed three days prior.

    But even worse: a hacker had made four applications for CERB on his behalf worth a total of $8,000 and had the money deposited into their account, he says in an affidavit.

    Sweet then began a Kafkaesque process to prove to CRA that he had not made any of those changes nor applied for CERB. He spent hours on the phone with the agency and sent them numerous correspondences, as well as filing a police report with the RCMP.

    Advertisement 7

    This advertisement has not loaded yet, but your article continues below.

    Article content

    It was only in late September that the government sent him a letter informing him that his personal information has been compromised during the data breach, he wrote in court documents.

    Despite telling the agency multiple times that he had never applied for CERB, he received a “distressing” letter in October 2021 from CRA telling him he’d have to pay taxes on the $8,000 of CERB claimed illegally on his behalf.

    “As a result of the breach to my CRA account … I have spent at least 20 hours gathering information, filling out forms, and contacting different agencies to deal with the account breach and to protect my identity and prevent further harm,” Sweet said in his affidavit.

    “The CRA account breach has caused me to question the ability of the CRA to securely store my personal and financial information. I am very concerned about whether my personal and financial information is safe with the CRA, and I am skeptical of whether the CRA will do anything to prevent similar incidents,” he added.

    In the ruling certifying the class-action lawsuit, Judge Richard F. Southcott found that claimants may be eligible for damages, and that some evidence shows that there may have been both a breach of confidence by the government and intrusion upon seclusion.

    Share this article in your social network Related Stories

  • Advertisement 1

    This advertisement has not loaded yet, but your article continues below.

  • Comments

    Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.

    Leave a Reply