The theft of tax and employment records of 48,000 of Canadians four years ago was the fault of poor IT authentication security, says the country’s privacy commissioner.
Attackers employed credential stuffing using previously stolen usernames and passwords to get into the IT systems of the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC) in 2020, allowing them not only to steal data, but also to fraudulently redirect government COVID-19 payments and tax refunds to the hackers.
The investigation by Privacy Commissioner Philippe Dufresne, released today, “found that both organizations had ‘under-assessed’ the level of identity authentication that was warranted for their online programs and services, given the sensitivity of personal information involved.
“Moreover, ESDC and CRA had not taken the necessary steps to promptly detect and contain the breach, due in part to inadequate security assessments and testing of its authentication and credential management systems, and limited accountability and information sharing between departments.”
The under-assessment of the level of identity authentication needed wasn’t justified, given the elevated value and sensitivity of the personal information someone could get their hands on, the report says. “While single-factor authentication may have been common practice at the time, common practice does not necessarily equate to compliant practice,” it adds.
Since the breach both CRA and ESDC have implemented mandatory multifactor authentication for all their individual, business and representative accounts.
Both departments failed to meet provisions of the Privacy Act, which sets rules for federal agencies.
In August 2020, the federal government admitted that attackers using credential stuffing had gained access to certain CRA online accounts and other departments’ online accounts accessible via the Government of Canada’s centralized “GCKey” authentication service and CRA’s own login portal.
At the time, CRA and ESDC had a system in place that allowed individuals who logged in via ESDC’s portal to freely access accounts held in that individual’s name at CRA and vice versa, without any additional authentication.
The credential stuffing attack started around July 23, 2020 on ESDC’s Enterprise Cyber Authentication Solution and Canada Student Loan systems, which the report refers to as ESDC’s portal. The portal uses Shared Services Canada’s GCKey Service, which is operated by 2Keys Corporation under the direction of the government.
A few days later, another automated credential stuffing attack started on CRA’s online service accounts through its portal. The attackers initially exploited a 20-month-old misconfiguration in CRA’s system, allowing them to bypass CRA’s requirement for users to answer a security question when logging in from a new device. ESDC’s portal did not have this requirement at the time, and thus did not require such a bypass. After CRA fixed the misconfiguration, the report says, attackers renewed their credential stuffing attack on the CRA portal by “stuffing” usernames, passwords, and answers to security questions.
2Keys alerted ESDC to new accounts that appeared to have been created by the attackers. This alert led ESDC, beginning Aug. 27, 2020, to discover over 2,000 cases of identity theft.
Attackers were able to fraudulently apply for new benefits at ESDC and create new accounts in individuals’ names without their knowledge. In November 2020, CRA also separately discovered a case of identity theft where attackers successfully created new credentials for a CRA capability allowing an individual to represent a client, and subsequently accessed information of 36 businesses, including over 8000 individuals’ sensitive personal information.
The report says attackers used approximately 26,000 CRA “My Accounts”, one CRA “Represent a Client” account, 6,000 ESDC “My Service Canada Accounts,” and 112 ESDC business accounts to access the contact information, identifiers [including social insurance numbers (SINs), and dates of birth] and sensitive financial, banking and employment information of 14,000 individuals held by ESDC and of 34,000 individuals held by CRA.
Attackers also modified personal information in accounts – changing direct deposit and address information to redirect existing payments to the attackers, as well as applying for new benefits such as the pandemic Canada Emergency Response Benefit, Employment Insurance (EI) benefits, and tax refunds.
That’s not all. During the final stages of Dufresne’s investigation, he learned that other breaches, which the CRA does not connect to this credential stuffing attack, had been detected in 2020 and weren’t reported to his office. Preliminary information indicates that up to 15,000 individuals could have been similarly affected by these breaches, which were, like the breach examined in this report, related to COVID-19 benefits fraud.
The report stresses the risk of serious damage to people from cyber attacks on government databases. In late 2022, Dufresne’s office received a complaint from an individual who was the victim of identity theft at ESDC. From late November to December 2020, attackers applied for fraudulent EI benefits and opened an online account at ESDC in his name. Over the next two years, they were able to repeatedly apply for benefits in his name without being detected by ESDC. When the individual later lost his job, he couldn’t get EI benefits — he was told by the department he’d already received his maximum benefits. Then he was held liable by ESDC and CRA to pay taxes on those fraudulent benefits he never received. That case was only resolved after Dufresne’s office stepped in.
Government guidelines on authentication requirements sets out four levels of assurance for departments to follow. Level 4 requires that there be “very high confidence” an individual is who they say they are to access their account online. In 2020, both CRA and ESDC assessed their level of assurance for online accounts as meeting Level 2: “Some confidence is required that an individual is who he or she claims to be.” Dufresne says they should have met a Level 3 requirement.
Level 2 requires the collection of only one piece of evidence of identity and does not require any steps to verify the “linkage” of identity information to the applying individual, the report says. For Level 3, among other requirements, two pieces of evidence of identity must be collected, one of which must be foundational, such as records of birth or citizenship, and linkage must be confirmed, though acceptable linkage methods are not described in detail in the government rules.
In the wake of the 2020 breaches, CRA and ESDC added address confirmation (sending an enrollment code to the address on record from previous tax filings) to an account applicant’s identity assurance processes. However, the report adds, neither department is requiring the collection of evidence of identity from applicants, or verifying linkages between identity claimed and the actual identity using physical/biometric comparison or equivalently robust methods.
ESDC did not apply these improvements to accounts created using SecureKey Concierge credentials through Canadian banks until mid-2021, when it began to offer a second identity assurance authentication process, leveraging identity verification of individuals already conducted by certain Canadian financial institutions, the report says. In the interim, attackers continued to be able to exploit this vulnerability in ESDC’s identity assurance process, including in the identity theft incident experienced by the individual who later complained to Dufresne’s office.
“In addition, the report adds, “to our knowledge, ESDC continues to permit identity assurance without the collection of any piece of identity, or the verification of linkage or address confirmation for certain online services.”
The report says both departments have agreed to implement recommendations from the Privacy Commissioner, including improving communications and decision-making frameworks to facilitate the implementation of efficient safeguards against future attacks, and rapid response to privacy breaches, as well as conducting regular security assessments.
Why did it take four years for the privacy commissioner to complete this investigation? The receipt of written representations from CRA, ESDC, Shared Services Canada, and Treasury Board [which sets cybersecurity policies for government departments] was often delayed by weeks or months, or was incomplete, “requiring multiple exchanges and escalations between increasingly senior executives,” Dufresne’s report says. And an internal government report on lessons learned was initially withheld from Dufresne under a claim of solicitor-client and litigation privileges. ESDC and CRA also prepared lessons-learned / postmortem reports, which they would not provide to Dufresne due to claims of privilege.
ESDC and TBS also cited a class action lawsuit related to the breach as a factor in the delays. ESDC further attempted to restrict OPC’s access to interview individuals, citing privilege.