Cyberattacks on the federal government’s online service accounts are now the subject of investigations by the Office of the Privacy Commissioner of Canada (OPCC), it was announced Oct. 13.
Commissioner Daniel Therrien’s office will be looking into cyberattacks on the GCKey, an electronic credential issued by Ottawa and used by federal institutions to provide individuals and organizations access to online services.
The OPCC said the investigation relates to Shared Services Canada, which issues the GCKey, and federal departments affected by the attacks on the GCKey system.
The federal Treasury Board Secretariat said in August that some 30 federal departments use GCKey to allow Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account.
“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the board said.
The second investigation relates to cyberattacks on Canada Revenue Agency (CRA) accounts.
The incidents involved so-called “credential stuffing,” a practice where hackers use passwords and usernames collected from previous breaches. They then take advantage of the fact that many people use the same passwords and usernames for various accounts and use that against users.
The board said about 5,500 CRA accounts were targeted in the GCKey attack and another recent “credential stuffing” attack aimed at the CRA.
The investigations were initiated by the commissioner and will examine whether the government institutions met their obligations under the Privacy Act, Canada’s public sector privacy law.