TORONTO -- When Leah Baverstock received an email on August 7 telling her that her application for the Canadian Emergency Response Benefit (CERB) had been approved, she was more than a little confused.
After all, she hadnât applied to the program.
Baverstock is one of thousands of Canadians who had their accounts with the Canada Revenue Agency compromised this month after a âcredential stuffingâ scheme, in which hackers used previously obtained personal information, such as logins and passwords, to access usersâ online accounts.
âItâs definitely scary times,â Baverstock told ŰÎŰ´ŤĂ˝ Channel. âI hadnât applied for the CERB, so that was a bit of a shocker, so I ended up calling the CRA.
âThe lady I spoke with said it was a one-off. She said, âIâm sorry that this happened to you,â she proceeded to give me a list of people to call, to let them know it had happened. And then I heard about the other 5,000 or 9,000 people that this happened to, and I thought, âThis is not a one-off.ââ
Officials confirmed Monday that the 5,500 CRA accounts initially reported to have been breached were the tip of the iceberg: a total of 11,200 accounts for the Government of Canada services were compromised in the attack, including CRA accounts and âGCKeyâ accounts, which 30 government departments use.
Marc Brouillard, the acting chief technology officer for the Government of Canada, said Monday that âbad actors [âŚ] were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user's CRA account.â
Government officials have said that they first became aware of a security breach on Aug 7 -- the same day Baverstock reports calling the CRA about her account -- but didnât contact the RCMP until Aug 11.
And Canadians were not informed of the breach until this past weekend, days after further attacks had been executed.
The CRA has defended its decision not to inform Canadians immediately, saying it needed time to inform people internally and try to regain access to breached accounts.
âI think about your social insurance number being your Canadian identification number, and I think if somebody has access to that, than they have access to basically anything,â Baverstock said.
âSo I called the anti-fraud unit -- theyâre closed due to COVID. I called Service Canada, I let them know about what was happening with my social insurance number.â
She said sheâd also been in contact with her bank and other accounts she has âto let them know itâs happened, to put some additional security in place if somebody does try to apply for credit in my name.
âBut it concerns me because somebody could live under my name, under my social insurance number,â she pointed out. âLive as me.â
Experts in cyber security say that reusing your passwords and logins can make you vulnerable to these types of attacks, since one breach of one account could give a hacker the tools to login to numerous accounts as you.
But passwords arenât the full picture of this breach.
Baverstock says she didnât even have a password for her CRA account.
âApparently you need a code to get in, so I applied for the code back in March and they said they would mail it to me,â she said. âI still havenât received it, and I canât even log into my CRA account, so it blows my mind that other people can.â
Baverstock is not impressed with the CRAâs response, saying she still has no idea what is happening with her account.
âWhen I spoke to the officer at CRA, she advised that a senior officer would call me within 24 hours, because my account has been completely locked down,â she said. âI canât have any information.â
She said she still has not received a call back.
âItâs been over a week,â she said. âThe CRA agent, she said that there are been multiple attempts to go into my account over the past little while, I guess they can see that in their system, so, I mean Iâm thinking at that point they shouldâve locked my account down right then and there and notified me.
âThis should never have happened.â