If you’ve spent even a few minutes in an online platform this week, then you’ve no doubt seen these headlines:
“Canada Revenue Agency Hit by Cyberattacks; Thousands of Accounts Affected”
-Touria Irzi, iHeartRadio
“It went to a different bank altogether: Sask. Woman one of thousands hit by CRA cyberattack”
-Morgan Modjeski, MSN
“Victim of CRA breach says someone applied for CERB with her account”
-Alexandra Mae Jones, CTV News
Terrifying, right?! According to a press release from the Government of Canada, a little over 9,000 Canadians’ personal information was compromised. Of all the places you think your information would be secure, surely any Government website, including the Canada Revenue Agency (CRA) website, should be one of those as a credible, well-known, government organization! Truth is, every website out there is just as vulnerable, and it can happen to any company, anytime!
So, what really happened in this ‘cyberattack’? Simply put, the attackers acquired usernames and passwords, likely from a previous cyberattack they perpetrated or buying them on the Dark Web. Knowing that many individuals struggle with remembering passwords and often reuse login information, the attacker leveraged a weakness within the CRA system which allowed them to login as these individuals without having to answer security questions or entering a two-factor authentication code.
From there, it was easy as pie for the attackers. They changed email addresses and phone numbers on file so the individual wouldn’t receive any alerts about anything on their account. They altered bank account information so that any future payments from the CRA would be deposited in their own account. As the final kicker, the attackers applied for Canadian Emergency Response Benefits (CERB), in hopes that the applications would be approved without question, as they have been for many Canadians so far.
Hack or Breach?
Some news outlets are reporting that this cyberattack was a hack. Others are calling it a data breach. Which one is it? A common misconception is that a hack and a breach are the same thing. They’re often terms that are used interchangeably – but they’re actually different. Mind blowing, I know!
A hack is an intentional attack whereby the attacker gains access to a protected system such as a server or computer so they can steal private, personal information or hold a system ransom. It is downright malicious (if I’m being totally honest!). The attacker will use the data they obtain to get something for themselves. This can come in the form of access to a bank account or credit card, right up to a brand-new identity.
A breach is when data is unintentionally left vulnerable in an unsecure environment. In this case, an attacker can view data, alter data, or delete data. It’s not necessarily malicious, but your personal information would still be out there for the attacker to take as their own if they wanted to.
Think of it this way: Someone breaks your car window to steal your laptop from your backseat (hack). Or maybe you forgot to lock your car door, and someone just opened it up (breach). It’s a similar result – someone has gotten into your car – the difference being that the hack is almost always a crime, whereas a breach isn’t necessarily so.
In the case of this cyberattack on the CRA, it’s actually a combination of the two! Yes, it really can be both! The attackers first found individuals’ login information elsewhere (the breach) then used this information maliciously to login to the CRA and alter information for their own benefit (the hack).
Keeping your Information Safe
Anytime you input your data online or even give your information out for something as simple as your grocery store rewards card, your risk of being compromised increases. Sure, it might not be by much, but the risk is still there. Does that mean you should never online shop again? That you shouldn’t use apply for that new rewards card? Of course not! There are ways you can mitigate your risk and minimize the chance of your data being compromised.
Never Reuse Passwords
If I could make this statement a neon sign with flashing lights to get everyone’s attention I would! I have been guilty of doing this many times myself and my Certified Information Systems Security Professional (CISSP)-certified husband never lets me forget about it! He always wants me and my information to remain as secure as possible, so I can’t ever blame him. For many, it’s easy just to use the same password everywhere. There are so many websites, with so many logins and password requirements – how can we possibly remember them all?
Use a Password Manager
This is by far the easiest way to keep your information safe and secure. The best thing about them? You only have to remember ONE password! Password managers not only store your login information and associated passwords but can also generate difficult-to-guess random passwords which make it harder for a hacker to obtain your personal data. You know which random passwords I’m talking about here – the ones that are 20-plus characters long, have capital and lower-case letters, numbers, and symbols and look like your toddler has been playing with your keyboard.
Remember to Change Your Passwords Regularly
Even if you usea random password for each site, it’s still a good practice to change them up regularly. Every 3-6 months is usually a good idea, and it’ll keep any potential hackers guessing.
If you have any questions about hacks, breaches, password managers, or how to keep yourself and your company protected from potential cyberattacks like the CRA has had, remember that the experienced professionals at Kalnara Cyber Defense are here for you!