Court documents have revealed that hackers had fraudulently claimed pandemic benefits using the Canada Revenue Agency (CRA) accounts of 12,700 individuals.
In August 2020, the CRA was forced to temporarily shut down its online services after it had suffered two cyberattacks. The attacks were suspected to be “credential stuffing” incidents; hackers used stolen credentials to log into the MyCRA online service and attempt to fraudulently claim Canada Emergency Response Benefit (CERB) payments under victims’ names.
It was initially reported that the cyberattack compromised the personal data of only 5,500 Canadians, but a month after the attack, the government admitted that forensic analysis had uncovered that there were “suspicious activities” on as many as 48,500 accounts.
But new details have emerged in the proceedings of a class action lawsuit brought against the federal government in the wake of the data breaches. According to a federal court ruling last week, fraudsters changed taxpayers’ direct deposit banking information over the course of two weeks, then falsely applied for CERB payments.
While the court document does not reveal the total value of fraudulent benefit claims made related to the two breaches, The National Post has suggested that at least $25.4 million was stolen, assuming each of the 12,700 victims took out one CERB payment worth $2,000.
The class action is led by Todd Sweet, a retired BC police officer who found out that a hacker had made four CERB applications under his name, stealing a total of $8,000. Despite making the case that a hacker had used his credentials to steal the payments and suspiciously changed the deposit details under his MyCRA account, the CRA sent him a “distressing” letter in October 2021 telling him that he must pay taxes on the $8,000 payment illegally claimed on his behalf.
“The CRA account breach has caused me to question the ability of the CRA to securely store my personal and financial information,’ said Sweet. “I am very concerned about whether my personal and financial information is safe with the CRA, and I am sceptical of whether the CRA will do anything to prevent similar incidents.”
In last week’s ruling, Judge Richard F. Southcott found that claimants may be eligible for damages, The National Post said. The judge also ruled that some evidence showed that there may have been both a breach of confidence by the government and intrusion upon seclusion.
This article was originally sourced by www.insurancebusinessmag.com.