Question Period Note: Cyber Security

Cyber security has been a topic of interest in the media after the Government of Canada experienced a credential stuffing attack which affected GCKeys.

• The Government of Canada, like every other government and private sector organization in the world, faces ongoing and persistent cyber threats.

• That is why the government has robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.
• In early August, the Government of Canada took action to stop “credential stuffing” attacks mounted on the GCKey service and Canada Revenue Agency (CRA) accounts.

• While the government continues to take action to mitigate attacks and minimize threats, attackers are constantly adjusting their methods. Canadians need to remain vigilant in protecting account information.

• The credential stuffing attack is a threat facing private and public sector organizations alike.

• Of the roughly 12 million active GCKey credentials in Canada, the passwords and usernames of just over 9,300 GCKey users were used by bad actors to access government services. The GCKey service itself was not compromised. As for CRA, they identified suspicious activities occurring between early July and August 15, 2020 on approximately 48,500 of the more than 14 million CRA user accounts.

• As soon as the Government of Canada became aware of this security incident, it:
o authorized the GCKey service provider to revoke all affected accounts immediately;
o ensured the GCKey service provider applied additional security mitigation measures such as blocking IP addresses linked to bad actors and disabling direct access to the GCKey login website;
o triggered the Cyber Security Event Management Plan, engaging the GCKey service provider, the Treasury Board of Canada Secretariat, the Canadian Center for Cyber Security and Shared Services Canada to coordinate effort with impacted departments to stop the attacks and communicate directly with the affected users; and
o engaged the Office of the Privacy Commissioner, and continues to do so, on efforts to protect personal information.

• Service Canada and CRA also took additional safety measures to protect account holders by deactivating the compromised accounts, temporarily removing some online abilities, and adding additional security measures to the account sign-in process. These mitigation measures have proven to be effective.

• On August 15, 2020, an official statement to the public was issued with a follow up statement on September 17, 2020.

• The CRA is working with individuals affected by identity theft or fraud to help ensure they are not held liable for fraudulent claims and payments made by fraudsters using their account. Individuals whose accounts have been compromised will be offered credit protection services free of charge.

• The government has robust systems and tools in place to monitor, detect and investigate potential threats, and actively address and neutralize them. It is also constantly evolving its security measures to keep up with new types of attacks. This includes:
o looking at additional security features such as multifactor authentication (MFA), where appropriate, to help Canadians protect their accounts; and
o advancing efforts around digital identity as it has been noted that nations with advanced Digital Identity infrastructures have been able to streamline services provided to citizens online while improving security and enhancing privacy. In Canada, pilots and projects are currently underway that allow users to log in with their provincial trusted digital identities to access federal government services in a timely and secure way.

• The government also makes available, tools and resources to the public to assist them in protecting their personal information, for example Get Cyber Safe, Publications at the Canadian Center for Cyber Security, and Slam the Scam.

• On August 5, 2020, the Government of Canada was made aware of a credential stuffing attack against the GCKey service, whereby bad actors misused passwords and usernames obtained online as a result of previous hacks of systems worldwide. Around the same time, a similar attack was mounted on the Canada Revenue Agency.

• Of the roughly 12 million active GCKey credentials in Canada, the passwords and usernames of just over 9,300 GCKey users were used.

• On August 15, 2020, an official statement to the public was issued with a follow up statement on September 17, 2020.