On August 15, 2020, the Government of Canada released a Statement advising that GCKey service and Canadian Revenue Agency (CRA) accounts were the subject of “credential stuffing” attacks and that online CRA services would be temporarily disabled as a precaution.

“Credential stuffing” attacks use usernames and passwords collected from previous hacks of third party accounts and exploit the fact that many people use the same login information for different accounts.

The Statement advises that 9,041 users’ GCKey usernames and passwords were acquired fraudulently and used to try to access government services.  The cyberattack also targeted approximately 5,500 CRA accounts.  The government subsequently confirmed that 11,200 accounts were compromised in total.  Affected accounts have been disabled and the government is contacting all affected individuals.

The government, RCMP, and federal privacy commissioner are investigating the cyberattack.  CRA online services were restored on August 19, 2020.

Summary By: Michelle Noonan


20 08 26

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.