Victim of CRA breach says someone applied for CERB with her account
TORONTO -- When Leah Baverstock received an email on August 7 telling her that her application for the Canadian Emergency Response Benefit (CERB) had been approved, she was more than a little confused.
After all, she hadn’t applied to the program.
Baverstock is one of thousands of Canadians who had their accounts with the Canada Revenue Agency compromised this month after a “credential stuffing” scheme, in which hackers used previously obtained personal information, such as logins and passwords, to access users’ online accounts.
“It’s definitely scary times,” Baverstock told CTV News Channel. “I hadn’t applied for the CERB, so that was a bit of a shocker, so I ended up calling the CRA.
“The lady I spoke with said it was a one-off. She said, ‘I’m sorry that this happened to you,’ she proceeded to give me a list of people to call, to let them know it had happened. And then I heard about the other 5,000 or 9,000 people that this happened to, and I thought, ‘This is not a one-off.’”
Officials confirmed Monday that the 5,500 CRA accounts initially reported to have been breached were the tip of the iceberg: a total of 11,200 accounts for the Government of Canada services were compromised in the attack, including CRA accounts and “GCKey” accounts, which 30 government departments use.
Marc Brouillard, the acting chief technology officer for the Government of Canada, said Monday that “bad actors […] were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user's CRA account.”
Government officials have said that they first became aware of a security breach on Aug 7 -- the same day Baverstock reports calling the CRA about her account -- but didn’t contact the RCMP until Aug 11.
And Canadians were not informed of the breach until this past weekend, days after further attacks had been executed.
The CRA has defended its decision not to inform Canadians immediately, saying it needed time to inform people internally and try to regain access to breached accounts.
“I think about your social insurance number being your Canadian identification number, and I think if somebody has access to that, than they have access to basically anything,” Baverstock said.
“So I called the anti-fraud unit -- they’re closed due to COVID. I called Service Canada, I let them know about what was happening with my social insurance number.”
She said she’d also been in contact with her bank and other accounts she has “to let them know it’s happened, to put some additional security in place if somebody does try to apply for credit in my name.
“But it concerns me because somebody could live under my name, under my social insurance number,” she pointed out. “Live as me.”
Experts in cyber security say that reusing your passwords and logins can make you vulnerable to these types of attacks, since one breach of one account could give a hacker the tools to login to numerous accounts as you.
But passwords aren’t the full picture of this breach.
Baverstock says she didn’t even have a password for her CRA account.
“Apparently you need a code to get in, so I applied for the code back in March and they said they would mail it to me,” she said. “I still haven’t received it, and I can’t even log into my CRA account, so it blows my mind that other people can.”
Baverstock is not impressed with the CRA’s response, saying she still has no idea what is happening with her account.
“When I spoke to the officer at CRA, she advised that a senior officer would call me within 24 hours, because my account has been completely locked down,” she said. “I can’t have any information.”
She said she still has not received a call back.
“It’s been over a week,” she said. “The CRA agent, she said that there are been multiple attempts to go into my account over the past little while, I guess they can see that in their system, so, I mean I’m thinking at that point they should’ve locked my account down right then and there and notified me.
“This should never have happened.”