CRA security failure resulted in hackers’ access to thousands of accounts for CERB fraud
The Federal Court of Canada in Sweet v Canada has certified a negligence, breach of confidence and intrusion upon seclusion class action against the Canada Revenue Agency in connection with widespread “My CRA” account takeovers during the pandemic. Of particular interest is that the class was defined to exclude individuals who had provided their personal information to a BC law firm that first filed its claim and then was itself subject to a cybersecurity incident that may have exposed class member information.
During the summer of 2020, a large number of “My CRA” accounts were compromised and access by unknown third parties. The compromised accounts had their banking and direct deposit information changed and many accounts were enrolled in benefits programs, such as the Canada Emergency Response Benefit. The threat actors were also able to access sensitive personal information contained in the accounts, such as addresses, birthdates, employment details and SIN numbers.
A BC law firm quickly filed a putative class action in the Federal Court. In April 2021, that firm was itself the victim of a data breach that potentially exposed the personal information of potential class members. The government filed a motion to have the action stayed because it was proposing a third party claim against the law firm for contribution and indemnity for any persons whose information was exposed by both the government and the law firm. That third party claim would not be within the jurisdiction of the Federal Court. As a result, the first law firm withdrew and a second law firm began carriage of the case, and amended the pleadings to narrow the class of plaintiffs to exclude those whose information may have been exposed in the law firm data breach. A new representative plaintiff was substituted.
The Court described the incidents which resulted from an apparent failure on the part of CRA:
 In the summer of 2020, GCKey and CRA’s My Account were the subject of what the cybersecurity industry describes as a “credential stuffing attack” by a threat actor, predominantly targeting CRA and ESDC as a means of fraudulently applying for COVID relief benefits (CERB and the Canada Emergency Student Benefit [CESB]) that had been introduced by the Government in the spring of 2020). Credential stuffing is a form of cyber attack that relies on the use of stolen credentials (username and password) from one system to attack another system and gain unauthorized access to an account. This type of attack relies on the reuse of the same username and password combinations by people over several services. Threat actors sell lists of credentials on the Dark Web. Credential stuffing usually refers to the attempt to gain access to many accounts through a web portal using an automated bot system rather than manually entering the credentials. On dates in July 2020, CRA’s My Account experienced large numbers of failed logins, which have since been identified as a precursor to, or otherwise part of, a credential stuffing attack against that service.
 A threat actor attempting to access a particular My Account through credential stuffing would typically have encountered the requirement to successfully answer one of the five security questions selected by the user. However, during the attack that occurred in the summer of 2020, the threat actor(s) were able to bypass the security questions, and access My Account, because of a misconfiguration in CRA’s credential management software. CRA learned of this method to bypass the security questions on August 6, 2020, when it received a tip from a law enforcement partner that such a method was being sold on the Dark Web. Among other steps taken to respond to the data breach, CRA subsequently identified the relevant misconfiguration in its software, which it remedied on or about August 10, 2020.
 In the meantime, at least 48,110 My Accounts were impacted by the unauthorized use of credentials, meaning that the threat actor was able to enter a valid CRA user ID and password. Of those 48,110 My Accounts, 21,860 involved no progress by the threat actor beyond entering the ID and password, such that the threat actor did not access the accounts. This is potentially understood as a stage of the attack in which the threat actor was ensuring that the credentials worked. The threat actor(s) actually logged in to 26,250 My Accounts. In 13,550 of the My Accounts, although the security question bypass was used, the threat actor only viewed the homepage, meaning that some personal information was accessed, but no application was submitted for CERB. In 12,700 of the My Accounts, the threat actor changed the relevant taxpayer’s direct deposit banking information and fraudulently applied for CERB.
The plaintiffs sought to certify the class action on the basis of systemic negligence, breach of confidence and intrusion upon seclusion. The court noted that there were differing authorities on whether these causes of action could be applicable in circumstances such as these, but overall found that this area of law continues to develop and that the plaintiff’s claims were not bound to fail, based on the pleadings.