More than 880,000 phone numbers linked to government accounts stolen in data breach

OTTAWA — More than 880,000 Canadians’ phone numbers and 85,000 email addresses used to access federal government web services were stolen by hackers, who then spammed victims with fraudulent messages, National Post has learned.

Late on Sept. 9, the government’s Chief Information Officer revealed in a statement that there had been a “data security incident” impacting Canadians’ data held by the multi-factor authentication provider for CRA, Service Canada and the Canada Border Services Agency’s public-facing portals.

Only email addresses and phone numbers had been stolen by unknown hackers, the statement said, making the breach a “non-material privacy incident” (meaning it involved only low-risk, low-privacy information).

But criminals still had a use for it, the CIO noted.

“The (malicious) actor sent spam text messages containing a link to a fraudulent phishing website designed to look like a Government of Canada website to some of these phone numbers,” the office of the CIO said at the time.

If a victim fell for the scam and tried to login to the spoof website, they would be handing over their credentials to criminals who could use them to access sensitive personal information on the real government websites, for example.

“At this time, there is no indication that any additional personal identifiable information or sensitive personal data was disclosed,” the statement noted.

But what the CIO did not disclose at the time was the scope of the breach: nearly one million emails and phone numbers had been stolen, allowing criminals to send over 881,000 fraudulent spam messages attempting to steal victims’ login or financial information.

The data was confirmed by ESDC Wednesday after repeated questioning by National Post over two weeks.

Despite the scope of the leak and subsequent spam SMS campaign, ESDC spokesperson Mila Roy said the government had not detected any fraudulent activity or compromised accounts at this time.

“The data accessed did not include any additional personal identifiable information or sensitive personal data,” Roy wrote. “This information alone does not allow the unauthorized individual(s) to access Government of Canada accounts or other personal information.”

The breach stems from a vulnerability in the government’s multi-factor authentication software provider, Interac-owned 2Keys. The company’s software is used to verify that a person logging into a CRA, ESDC or CBSA account is the real account owner by sending them a code via text, call or email.

The office of the CIO said 2Keys discovered in mid-August that hackers had managed to exploit a vulnerability during a routine software update to steal the phone numbers and email addresses over a two-week period starting Aug. 3.

Within two days of discovering the “unusual behaviour” in its multi-factor authentication, Interac spokesperson Cillian Murphy said the company conducted a preliminary investigation of the issue and notified the government of the unauthorized entry into its system.

Asked about the two-day delay between the unusual behaviour first being detected and when the government was notified, Murphy pointed to the CIO’s statement saying that 2Keys “promptly informed the government and launched an investigation” after discovering the incident.

Ultimately, Roy said the breach exposed the phone number of 881,000 users of the Canada Revenue Agency’s MyCRA online portal. The hackers also made away with the email addresses of 85,699 people with a Canada Border Services Agency (CBSA) account.

In an interview, cybersecurity expert Ian L. Paterson said that breaches like this one occur nearly daily across the world. The most important thing for 2Keys now is to ensure that the hackers have been cut off from accessing the system.

“Do bad guys still have access to the system? Meaning, is this the tip of the iceberg and there’s a lot more behind it? That’s really the thing to be concerned about,” said Paterson, CEO at Plurilock Security.

He said there are multiple ways for criminals to use information as basic as phone numbers and emails to scam people.

That’s why it’s important for everyone to remain vigilant and follow basic cybersecurity guidance, such as knowing that government agencies will never ask for you tax information via text message for example.

“One of the ways would be to set up fake systems try and collect money directly through fraudulent emails, fraudulent SMS. Another way would also be to try and harvest credentials, so try and get those users to give up their passwords and other forms of identification,” he detailed.

“I would fully expect that if bad guys have one thing, they’re going to try and make the most they can from it.”

National Post

• China-backed hacker hijacked 9,200 Canadian devices to operate illegal hacking network: FBI and CSIS
• Global Affairs investigating 'malicious' hack after VPN compromised for over one month

Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark nationalpost.com and sign up for our politics newsletter, First Reading, here.