Investigation uncovers serious flaws in CRA and ESDC security, leading to a large-scale data breach affecting 48,000 Canadians. (Getty Images)
A recent investigation led by the Canadian privacy commissioner sheds light on a significant data breach that occurred four years ago, affecting around 48,000 Canadians. According to the commissioner, the breach was a result of inadequate IT security measures, particularly in authentication protocols, within the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC).
The breach, which took place in 2020, involved attackers utilizing a technique called credential stuffing, where stolen usernames and passwords from previous breaches were used to gain unauthorized access to the systems of both CRA and ESDC. This breach not only led to the theft of sensitive personal data but also enabled the hackers to divert government payments, including COVID-19 relief funds and tax refunds, to their own accounts fraudulently.
The investigation highlighted several shortcomings in the security infrastructure of both organizations. It was found that they had underestimated the level of identity authentication required for their online services, given the sensitivity of the information they handled. Additionally, there were lapses in promptly detecting and containing the breach, attributed to inadequate security assessments and testing, as well as limited information sharing between departments.
Following the breach, both CRA and ESDC have implemented mandatory multifactor authentication for all their individual, business, and representative accounts. However, it was noted that these departments failed to comply with provisions of the Privacy Act, which outlines rules for federal agencies.
The breach exploited vulnerabilities in the authentication systems of both CRA and ESDC, allowing attackers to manipulate personal information, redirect payments, and fraudulently apply for benefits. The report also uncovered other breaches related to COVID-19 benefits fraud, which were not initially reported to the privacy commissioner's office.
Moreover, the investigation revealed delays in completing the inquiry due to bureaucratic hurdles, including delays in receiving necessary information from relevant government agencies and disputes over access to internal reports. Additionally, concerns were raised regarding restrictions on interviewing individuals involved in the breach, citing privilege and ongoing legal proceedings.
In response to the findings, both CRA and ESDC have agreed to implement recommendations aimed at enhancing communication, decision-making frameworks, and security protocols to prevent future breaches and improve responses to privacy incidents. However, challenges remain in ensuring robust identity verification processes and addressing systemic vulnerabilities in government systems.
