Canadian Privacy Commissioner’s Takeaways From CRA And GCKey Cyber Breach – Lessons For Government Departments And Agencies

On March 28, 2024, the Office of the Privacy Commissioner of Canada (OPC) published a Privacy Act Bulletin (Bulletin) summarizing key takeaways from its investigation into the 2020 cyber breach that affected the Canada Revenue Agency’s (CRA’s) sign-in portal and Employment and Social Development Canada (ESDC’s) “GCKey” authentication service.

As previously reported by the E-TIPS® Newsletter here, cyber attackers employed a tactic called “credential stuffing”, which used login credentials that were leaked in separate, past data breaches to access the online accounts of individuals that had reused those login credentials for their CRA and other government accounts. This cyber breach compromised the financial and employment information of tens of thousands of Canadians with serious consequences including, among other things, the attackers changing individuals’ registered deposit information to redirect deposited funds to the attackers’ accounts, and stealing individuals’ identities to fraudulently apply for governments benefits in their name. The OPC’s full report on the investigation can be found here.

The Bulletin offers the following key lessons for government departments and agencies to learn from the incident:

1. Address Privacy Risks. Thoroughly assess and address the privacy risks relating to your programs and services, including determining when it is necessary to conduct privacy impact assessments.
2. Guard Against Bad Actors. Take reasonable steps to prevent malicious modification or false submission of personal information by bad actors (e.g., an individual impersonating someone else to apply for government benefits).
3. Follow Identity Assurance Standards. Where personal information is required to confirm one’s identity prior to accessing a government service, government employees should be able to confirm individuals’ identities with confidence. In circumstances where moderate harm may result if information is compromised, departments should align their practices with internationally accepted identity assurance standards.
4. Conduct Security Assessments. Government departments and agencies that handle significant amounts of sensitive personal information should regularly assess their security safeguards and promptly address any gaps.
5. Monitor to Detect Problems. The OPC recommends having an effective monitoring regime in place and actively auditing logins for suspicious activity.
6. Prepare for Immediate Action. Organizations should be ready to act quickly to remedy the fallout of a breach and prevent further harm, including initiating containment protocols as well as assessing, mitigating, and, in the case of a material privacy breach, fulfilling legal reporting obligations to the OPC and Treasury Board of Canada Secretariat.
7. Avoid Working in Silos. The OPC reminds those that work on programs involving multiple federal departments and agencies to ensure all parties are aware of the vulnerabilities existing in their shared system. Further, each party should know their respective role as it relates to personal information and all accountable parties should provide input on decisions relating to shared safeguards.

Summary By: Imtiaz Karamat