Announcement

October 13, 2020

Commissioner launches investigations into cyberattacks on Canada Revenue Agency and other federal organizations

The Office of the Privacy Commissioner of Canada has opened investigations into recent cyber security incidents involving attacks on Government of Canada online service accounts.

One investigation will focus on cyberattacks on the GCKey, an electronic credential issued by the government and used by federal institutions to provide individuals and organizations with access to online services. It relates to Shared Services Canada, which issues the GCKey, and federal government departments affected by the attacks on the GCKey.

The second investigation relates to cyberattacks on Canada Revenue Agency accounts.

The incidents involved “credential stuffing,” where hackers use passwords and usernames collected from previous breaches to take advantage of the fact that many people use the same passwords and usernames for various accounts.

The two investigations were initiated by the Commissioner and will examine whether the government institutions met their obligations under the Privacy Act, the federal public sector privacy law.

As these are ongoing investigations, no additional details are available at this time and interviews are not possible.