CRA cyberattack victims say they notified agency about hack long before breaches confirmed
TORONTO -- Following the Canada Revenue Agency’s admission over the weekend that thousands of Canadians’ accounts had been compromised in a series of recent cyberattacks, several victims say they notified the CRA about the hacks weeks – and even months – earlier.
According to the CRA, hackers accessed the accounts of 5,500 Canadians using stolen usernames and passwords in three separate cyber security incidents. Government officials said they first learned of the security issues on Aug. 7 and contacted the RCMP to investigate on Aug. 11.
However, Linda Bradford said she alerted the CRA about a breach in her account months earlier, all the way back in May.
She said she first spoke with a CRA representative on May 8 to tell them her account information had been changed without her consent. The bank account to which her Canadian Emergency Response Benefit (CERB) payments were deposited had been switched to a new one at Tangerine Bank, which she had not opened.
Bradford said the CRA agents she spoke with didn’t know what had happened to her account and opened an investigation with Tangerine Bank. Since then, she said she has spoken with approximately seven CRA representatives to have her CERB payments reinstated.
“It was just insane,” she told CTVNews.ca during a telephone interview on Tuesday. “I cannot tell you how many hours I spent on the phone.”
Bradford, who has run a bed and breakfast for 19 years with her husband in Owen Sound, Ont., has been collecting CERB since the pandemic began. She said they haven’t reopened and still rely on CERB because they’re both in their seventies and her husband is immunocompromised.
The business owner said she became angry when she learned that government officials were telling the public they only became of aware of the cyberattacks in early August.
“My reaction was ‘You liars. You knew,’” she recalled. “I probably wasn’t the first person to call and I called May 8.”
Another victim of a cyberattack, Sara – who did not want her full name used because she works for another department of the federal government – said she also notified the CRA about her account long before Aug. 7.
It’s unclear whether the hacks involving Sara and Bradford’s accounts are related to the larger security incidents recently announced by the CRA.
The agency says it has noticed an increase in scams in the “past few years,” and during the pandemic there’s been a focus on CERB payments -- unconnected to the cyberattacks.
“Fraudulent activity on taxpayers’ CRA accounts prior to August 7 may not be related to these recent cyber security incidents,” a CRA spokesperson told CTVNews.ca in an emailed statement.
“These recent cyber security incidents are a deliberate and systematic attack on the CRA systems, but smaller, targeted scams on individual taxpayers also occur. External breaches have provided personal information such as names, SIN, date of birth, address, and other financial/tax information. Information from these breaches can be collected and combined to allow someone to impersonate someone online, over the phone, open bank accounts, etc.”
Sara said she realized her account had been compromised when she received an email on July 16 informing her that her email address had been removed from her CRA profile. When she went to investigate the next day, Sara said she discovered her account information had been updated and a new TD Bank account had been added without her knowledge.
Sara said she called the CRA that day and learned that someone had applied for CERB in her name and the payment was in the process of being delivered to the account with TD Bank. She said she was told that a resource officer would call her back 24 hours later.
When she didn’t hear back from the CRA after a few days, Sara said she called them again on July 21. Since then, she has learned that CERB payments had been made from her account and it has been disabled.
Sara said she’s been frustrated by the lack of communication from the CRA and the fact that they said they only learned about the breaches on Aug. 7.
“Even if I was the first to have called, [the breach to my account was] pretty substantial, and to think that nothing was locked down until the seventh of August...” she said. “I would have hoped that somebody would have looked into it and did what they needed to do to lock down the access.”
Rick Pantridge, from Whitby, Ont., said he went through a similar situation as Sara and Bradford when he was unexpectedly notified by the CRA that the banking information on the account had been changed on July 31. He said he also received another email alerting him that his application for CERB had been approved – even though he never applied for one.
The 64-year-old said when he followed up with a CRA agent later that morning, she told him he was the third caller she had spoken to that day with a similar problem. He said she was also unable to reassure him that his SIN had been protected in the cyberattack.
Pantridge said his CRA account was locked down and he was told he would receive a call from another agent in 24 hours. Like Sara, he never received one.
“I have never heard from them. I've tried to call, but the wait times are insane,” he told CTVNews.ca during a telephone interview on Wednesday.
Pantridge said he was “ticked” when he read that the CRA said they only just found out about the breaches and that reusing passwords was to blame for the hacks.
“They kind of implied that because you use your password over multiple platforms, which I pretty much promise you 100 per cent of the population does, it’s your fault,” he said. “You're the CRA, you should be the toughest organization to crack cyber-wise.”
All of the victims CTVNews.ca spoke with said they have been on pins and needles as they closely monitor their bank accounts to see if anyone has applied for a loan or a credit card in their names.
“No one has tried anything yet, but you don’t know,” Bradford said. “I’m a pretty innocent, honest person here. I don't think like a criminal. So I don't know all the things they could do with my SIN [social insurance number].”
“It's just so unnerving that somebody else has all this information,” Sara said. “They know my child's name, they know my child's date of birth, they know where I live… I feel so violated.”