Canadian Government’s GCKey Service Targeted by Cyberattacks and Used to Steal COVID-19 Relief Benefits

Canadian Government’s GCKey Service Targeted by Cyberattacks and Used to Steal COVID-19 Relief Benefits

Recently, the Canadian government services were targeted by cyberattacks used to steal COVID-19 relief payments. The attacks breached the Canadian government sites that provide access to services for immigration, taxes, pension, and benefits.  

The attackers targeted Canada’s online portal called GCKey. GCKey is vital as it’s used by the public to access multiple Canadian government services. As a result, thousands of Canadians’ had their personal information compromised.  

Attackers using credential stuffing to access GCKey accounts 

Attackers managed to access over 9,000 GCKey accounts using the “credential stuffing” technique. In this type of attack, hackers use stolen usernames and corresponding passwords in combination on different sites. They automatically try over and over until they find accounts that use the same log-in credentials. This type of password attack relies on users who reuse their passwords for multiple accounts, which many still unfortunately do.  

LIFARS’ penetration testing services can help evaluate your organization’s ability to protect its application, network, system, and users from external and internal threats. In penetration testing, a pen tester simulates an attack like a hacker would. This allows them to evaluate the security of your organization’s infrastructure, such as application, network, system, and user. Additionally, they analyze design weaknesses, technical flaws, and vulnerabilities. 


For this reason, it’s strongly advised to use different passwords for accounts and make your passwords hard to guess. This way, attackers would not be able to reuse stolen credentials and compromise other accounts. 

Lack of multi-factor authentication (MFA) and COVID-19 relief funds stolen 

As mentioned before, many federal departments use GCKey. This online portal can be used to alternatively access and sign-in to the Canadian Revenue Agency (CRA) systems by users.    

Unfortunately, some of these departments including GCkey and CRA, do not have multi-factor authentication in place. If signing-in from a new computer, the user would just be prompted to answer a security question. Lack of security measures like multi-factor authentication allows attackers to gain access to a victim’s GCKey or CRA account. Without the proper security measures, attackers can easily carry out credential stuffing or unauthorized sensitive government transactions.  

As part of the nationwide coronavirus relief effort, the Canada Emergency Response Benefit (CERB) provided funds for eligible residents. The CERB website’s screening questions could be answered in a certain way to access the system via the “My Service Canada” account which uses GCKey. Attackers exploited this factor to gain unauthorized access to Canadian’s CRA accounts, and this case steal COVID-19 emergency benefits. 

It was reported that Canadians were noticing their email addresses associated with their CRA accounts had been changed earlier this month. Their direct deposit information had also been altered. Payments such as CERB funds were issued in their name even if they had not applied for the COVID-19 benefit.  

Annette Butikofer, chief information officer at CRA, stated that Canadians whose accounts were breached were sent instructions to regain access.  

The government has also advised Canadians to use unique passwords for accounts, and to be on alert for suspicious activity.