Investigation uncovers serious flaws in CRA and ESDC security, leading to a large-scale data breach affecting 48,000 Canadians. (Getty Images)


February 16, 2024

A recent investigation led by the Canadian privacy commissioner sheds light on a significant data breach that occurred four years ago, affecting around 48,000 Canadians. According to the commissioner, the breach was a result of inadequate IT security measures, particularly in authentication protocols, within the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC).

The breach, which took place in 2020, involved attackers utilizing a technique called credential stuffing, where stolen usernames and passwords from previous breaches were used to gain unauthorized access to the systems of both CRA and ESDC. This breach not only led to the theft of sensitive personal data but also enabled the hackers to divert government payments, including COVID-19 relief funds and tax refunds, to their own accounts fraudulently.

The investigation highlighted several shortcomings in the security infrastructure of both organizations. It was found that they had underestimated the level of identity authentication required for their online services, given the sensitivity of the information they handled. Additionally, there were lapses in promptly detecting and containing the breach, attributed to inadequate security assessments and testing, as well as limited information sharing between departments.

Following the breach, both CRA and ESDC have implemented mandatory multifactor authentication for all their individual, business, and representative accounts. However, it was noted that these departments failed to comply with provisions of the Privacy Act, which outlines rules for federal agencies.

The breach exploited vulnerabilities in the authentication systems of both CRA and ESDC, allowing attackers to manipulate personal information, redirect payments, and fraudulently apply for benefits. The report also uncovered other breaches related to COVID-19 benefits fraud, which were not initially reported to the privacy commissioner's office.

Moreover, the investigation revealed delays in completing the inquiry due to bureaucratic hurdles, including delays in receiving necessary information from relevant government agencies and disputes over access to internal reports. Additionally, concerns were raised regarding restrictions on interviewing individuals involved in the breach, citing privilege and ongoing legal proceedings.

In response to the findings, both CRA and ESDC have agreed to implement recommendations aimed at enhancing communication, decision-making frameworks, and security protocols to prevent future breaches and improve responses to privacy incidents. However, challenges remain in ensuring robust identity verification processes and addressing systemic vulnerabilities in government systems.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

You may also like

Bitcoin Investor Buys an Entire SpaceX Flight for the Ultimate Polar Adventure

A bold new chapter in space tourism unfolded as Chun Wang, a Bitcoin investor and entrepreneur, launched into orbit on....

Elon Musk’s xAI Acquires X in $33 Billion Stock Deal

Elon Musk’s artificial intelligence startup, xAI, has officially taken over his social media platform, X, in a deal valued at....

Trump Considers Lowering Tariffs to Seal TikTok Deal

Former U.S. President Donald Trump signalled on Wednesday that he might reduce tariffs on China to facilitate the sale of....

U.S. Robotics Firms Urge National Strategy to Compete China

American robotics companies are calling for a national U.S. robotics strategy to strengthen the industry and maintain a competitive edge....

Waymo Plans Self-Driving Taxi Service in Washington by 2026

Alphabet’s autonomous taxi service, Waymo, is expanding to Washington, D.C., with plans to launch in 2026. The announcement, made on....

Trump Aides Used Signal for Secret War Talks – What to Know

Top officials from the Trump administration reportedly used the encrypted messaging app Signal to discuss military plans, sparking concerns over....

PsiQuantum Secures $750M to Advance Quantum Computing

According to sources, Quantum computing startup PsiQuantum is securing at least $750 million in funding, pushing its valuation to $6....

Are We Ready to Mine Metals from Space? The Future of Asteroid Mining

Asteroid Mining: A Sci-Fi Dream or an Inevitable Future? For decades, space enthusiasts and scientists have imagined a future where....

Nvidia CEO Surprised By Public Quantum Computing Companies

Nvidia CEO Jensen Huang admitted he was unaware that publicly traded quantum computing firms existed when he previously commented on....

Tesla Faces Crisis: Cybertruck Recall & Musk’s Trump Ties

Tesla and its CEO Elon Musk are in hot water as controversy swirls around the company. One of Tesla’s strongest....

Humanoid Robots Could Arrive Sooner Than Expected, Says Nvidia CEO

The world may be closer to a robotics revolution than most people think. Nvidia CEO Jensen Huang believes humanoid robots....

Nvidia’s AI Vision: Jensen Huang Unveils Future at GTC 2025

Nvidia CEO Jensen Huang took center stage at the GTC 2025 conference, often dubbed “AI Woodstock,” to discuss the rapid....