As a result of two separate cyberattacks, the Canada Revenue Agency (CRA) was compelled manually uninstall its internet access in August of 2020. Hackers used stolen credentials to log into the MyCRA ’s website and effort to try to illegitimately claim Vancouver Fire And rescue Benefit (CERB) instalments under the names of victims. These incidents were feared to be instances of "credential stuffing," which means that hackers used stolen credentials.
It was earlier reported that the botnet had affected the personal data of only 5,500 Canadians; however, a month after the attack, the government agreed that forensic analysis had found "malicious activity" on as many as 48,500 account names. The number of Canadians whose private information had been compromised was initially reported to be lower.
However, new information has come to light as a result of the ongoing proceedings of a class action lawsuit that was filed against the federal government as a direct result of the data breaches. Including a federal court judgement last week, criminals modified ratepayers’ direct deposit banking details over the period of two weeks, then falsely claimed for CERB payments.
Even though the court document does not disclose the total value of the fraudulent benefit claims made in relation to the two breaches, The National Post has suggested that at least $25.4 million was stolen. This is based on the assumption that each of the 12,700 victims took out one CERB payment worth $2,000 each.
Todd Sweet, a retired police officer from British Columbia who discovered that a hacker had submitted four claims to the CERB using his name and stolen a total of $8,000, is the person who is leading the class action lawsuit. Despite arguing the case that a thief had used his certificates to steal the installments and had eerily transformed the deposit description under his MyCRA bank statement, the Canada Revenue Agency (CRA) emailed him a "upsetting" letter in October 2021 telling him that he was required to pay taxes upon that $8,000 disbursement that had been illegally claimed on his representative. The fee had been illegally claimed on his behalf by another individual.
"The CRA account breach has forced me to question the ability of the CRA to securely maintain my personal and financial information," stated Sweet. "[T]he CRA has not been able to keep my information private." "I am quite concerned about whether or not the CRA will keep my personal and financial information secure, and I am skeptical that the CRA will take any action to prevent occurrences that are similar to those that have occurred in the past."
According to The National Post, in the judgement that was handed down last week, Judge Richard F. Southcott determined that claimants may be eligible for damages. In addition, the judge decided that some of the evidence suggested that there may have been a violation of confidentiality on the part of the government as well as an invasion of the defendant's right to privacy.