GCKey accounts and Canada Revenue Agency affected in two separate incidents


Canadian governmental services fell victim to two separate cyber-attacks this week, forcing some websites offline.

The Canada Revenue Agency (CRA) and GCKey accounts were subject to credential stuffing attacks, the government confirmed on August 15, compromising thousands of accounts.

GCKey accounts allow citizens to access services including immigration and citizenship services and employment and social resources.

These accounts are used across 30 federal departments, the Treasury Board of Canada Secretariat announced in a statement.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the statement read.


Read more of the latest cybersecurity news from Canada


Of an estimated 12 million GCKey accounts, 9,041 were accessed fraudulently. A third of those accessed were used to log into services.

Approximately 50,000 CRA accounts were targeted both in the GCKey attack and a separate credential stuffing attack.

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” the statement continues.

The government is carrying out an investigation with the Royal Canadian Mounted Police to determine whether any data was exfiltrated from these accounts. The Office of the Privacy Commissioner has also been contacted.

“To help reduce the risk of cyberattacks, always use a unique password for all online accounts,” the government advised. “Do not reuse the same password for different systems and applications and regularly monitor all online accounts for suspicious activity.”


READ MORE Data breach at Canadian insurance firm exposes personal information