The theft of tax and employment records of 48,000 of Canadians four years ago was the fault of poor IT authentication security, says the country’s privacy commissioner.<\/p>\n
Attackers employed credential stuffing using previously stolen usernames and passwords to get into the IT systems of the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC) in 2020, allowing them not only to steal data, but also to fraudulently redirect government COVID-19 payments and tax refunds to the hackers.<\/p>\n
The investigation by Privacy Commissioner Philippe Dufresne, released today<\/a>, “found that both organizations had ‘under-assessed’ the level of identity authentication that was warranted for their online programs and services, given the sensitivity of personal information involved.<\/p>\n “Moreover, ESDC and CRA had not taken the necessary steps to promptly detect and contain the breach, due in part to inadequate security assessments and testing of its authentication and credential management systems, and limited accountability and information sharing between departments.”<\/p>\n The under-assessment of the level of identity authentication needed wasn’t justified, given the elevated value and sensitivity of the personal information someone could get their hands on, the report says. “While single-factor authentication may have been common practice at the time, common practice does not necessarily equate to compliant practice,” it adds.<\/p>\n Since the breach both CRA\u00a0and\u00a0ESDC have implemented mandatory multifactor authentication for all their individual, business and representative accounts.<\/p>\n Both departments failed to meet provisions of the Privacy Act, which sets rules for federal agencies.<\/p>\n In August 2020, the federal government admitted that attackers using credential stuffing had gained access to certain CRA online accounts and other departments\u2019 online accounts accessible via the Government of Canada\u2019s centralized \u201cGCKey\u201d authentication service and\u00a0CRA\u2019s own login portal.<\/p>\n At the time, CRA\u00a0and\u00a0ESDC had a system in place that allowed individuals who logged in via\u00a0ESDC\u2019s portal to freely access accounts held in that individual\u2019s name at\u00a0CRA and vice versa, without any additional authentication.<\/p>\n The credential stuffing attack started around July 23, 2020 on ESDC\u2019s Enterprise Cyber Authentication Solution and Canada Student Loan systems, which the report refers to as ESDC\u2019s portal. The portal uses Shared Services Canada\u2019s\u00a0GCKey Service, which is operated by 2Keys Corporation under the direction of the government.<\/p>\n A few days later, another automated credential stuffing attack started on CRA\u2019s online service accounts through its portal. The attackers initially exploited a 20-month-old misconfiguration in\u00a0CRA\u2019s system, allowing them to bypass CRA\u2019s requirement for users to answer a security question when logging in from a new device.\u00a0ESDC\u2019s portal did not have this requirement at the time, and thus did not require such a bypass. After\u00a0CRA fixed the misconfiguration, the report says, attackers renewed their credential stuffing attack on the CRA\u00a0portal by \u201cstuffing\u201d usernames, passwords, and answers to security questions.<\/p>\n 2Keys alerted\u00a0ESDC\u00a0to\u00a0new<\/em>\u00a0accounts that appeared to have been created by the attackers. This alert led\u00a0ESDC, beginning Aug. 27, 2020, to discover over 2,000 cases of identity theft.<\/p>\n Attackers were able to fraudulently apply for new benefits at ESDC\u00a0and create new accounts in individuals\u2019 names without their knowledge. In November 2020,\u00a0CRA\u00a0also separately discovered a case of identity theft where attackers successfully created new credentials for a\u00a0CRA capability allowing an individual to represent a client, and subsequently accessed information of 36 businesses, including over 8000 individuals\u2019 sensitive personal information.<\/p>\n The report says attackers used approximately 26,000 CRA\u00a0\u201cMy Accounts\u201d, one\u00a0CRA \u201cRepresent a Client\u201d account, 6,000\u00a0ESDC\u00a0\u201cMy Service Canada Accounts,\u201d and 112\u00a0ESDC business accounts to access the contact information, identifiers [including social insurance numbers (SINs), and dates of birth] and sensitive financial, banking and employment information of 14,000 individuals held by ESDC\u00a0and of 34,000 individuals held by\u00a0CRA.<\/p>\n Attackers also modified personal information in accounts – changing direct deposit and address information to redirect existing payments to the attackers, as well as applying for new benefits such as the pandemic Canada Emergency Response Benefit, Employment Insurance (EI) benefits, and tax refunds.<\/p>\n That’s not all. During the final stages of Dufresne’s investigation, he learned that other breaches, which the CRA does not connect to this credential stuffing attack, had been detected in 2020 and weren’t reported to his office. Preliminary information indicates that up to 15,000 individuals could have been similarly affected by these breaches, which were, like the breach examined in this report, related to COVID-19 benefits fraud.<\/p>\n The report stresses the risk of serious damage to people from cyber attacks on government databases. In late 2022, Dufresne’s office received a complaint from an individual who was the victim of identity theft at ESDC. From late November to December 2020, attackers applied for fraudulent EI\u00a0benefits and opened an online account at\u00a0ESDC in his name. Over the next two years, they were able to repeatedly apply for benefits in his name without being detected by\u00a0ESDC. When the individual later lost his job, he couldn’t get EI benefits\u00a0 — he was told by the department he’d already received his maximum benefits. Then he was held liable by ESDC\u00a0and\u00a0CRA to pay taxes on those fraudulent benefits he never received. That case was only resolved after Dufresne’s office stepped in.<\/p>\n Government guidelines on authentication requirements sets out four levels of assurance for departments to follow. Level 4 requires that there be “very high confidence” an individual is who they say they are to access their account online. In 2020, both CRA and ESDC assessed their level of assurance for online accounts as meeting Level 2: “Some confidence is required that an individual is who he or she claims to be.” Dufresne says they should have met a Level 3 requirement.<\/p>\n Level 2 requires the collection of only one piece of evidence of identity and does not require any steps to verify the \u201clinkage\u201d of identity information to the applying individual, the report says. For Level 3, among other requirements, two pieces of evidence of identity must be collected, one of which must be foundational, such as records of birth or citizenship, and linkage must be confirmed, though acceptable linkage methods are not described in detail in the government rules.<\/p>\n In the wake of the 2020 breaches, CRA\u00a0and\u00a0ESDC added address confirmation (sending an enrollment code to the address on record from previous tax filings) to an account applicant’s identity assurance processes. \u00a0However, the report adds, neither department is requiring the collection of evidence of identity from applicants, or verifying linkages between identity claimed and the actual identity using physical\/biometric comparison or equivalently robust methods.<\/p>\n ESDC did not apply these improvements to accounts created using SecureKey Concierge credentials through Canadian banks until mid-2021, when it began to offer a second identity assurance authentication process, leveraging identity verification of individuals already conducted by certain Canadian financial institutions, the report says.\u00a0In the interim, attackers continued to be able to exploit this vulnerability in\u00a0ESDC\u2019s identity assurance process, including in the identity theft incident experienced by the individual who later complained to Dufresne’s office.<\/p>\n “In addition, the report adds, “to our knowledge, ESDC continues to permit identity assurance without the collection of any piece of identity, or the verification of linkage or address confirmation for certain online services.”<\/p>\n The report says both departments have agreed to implement recommendations from the Privacy Commissioner, including improving communications and decision-making frameworks to facilitate the implementation of efficient safeguards against future attacks, and rapid response to privacy breaches, as well as conducting regular security assessments.<\/p>\n Why did it take four years for the privacy commissioner to complete this investigation? The receipt of written representations from\u00a0CRA,\u00a0ESDC, Shared Services Canada, and Treasury Board [which sets cybersecurity policies for government departments] was often delayed by weeks or months, or was incomplete, “requiring multiple exchanges and escalations between increasingly senior executives,” Dufresne’s report says. And an internal government report on lessons learned was initially withheld from Dufresne under a claim of solicitor-client and litigation privileges. ESDC\u00a0and\u00a0CRA also prepared lessons-learned \/ postmortem reports, which they would not provide to Dufresne due to claims of privilege.<\/p>\n ESDC\u00a0and\u00a0TBS also cited a class action lawsuit<\/a> related to the breach as a factor in the delays.\u00a0ESDC\u00a0further attempted to restrict\u00a0OPC\u2019s access to interview individuals, citing privilege.<\/p>\n The post Inadaquate ID authentication blamed for 2020 data thefts at Canada Revenue, ESDC<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Data of 48,000 Canadians stolen, says federal privacy commissioner — and attackers were also able to fraudulently get COVID-19 and unemployment insuranc<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[58,361,16],"tags":[828,425,415,100,396,393,275],"class_list":["post-44180","post","type-post","status-publish","format-standard","hentry","category-government-public-sector","category-privacy","category-security","tag-canada-revenue-agency","tag-data-breach","tag-government-of-canada","tag-identity-management","tag-postmedia","tag-security-strategies","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/44180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=44180"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/44180\/revisions"}],"predecessor-version":[{"id":44182,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/44180\/revisions\/44182"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=44180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=44180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=44180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}