Treasury Board says information associated with CRA, ESDC and CBSA users was obtained prior to the phishing attempts.
Contact information attached to user accounts at several federal agencies was hit by a cyberattack last month.
In a statement Wednesday morning, Treasury Canada said email addresses and phone numbers for accounts at the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC) and the Canada Border Services Agency (CBSA) were affected as a result of the hack.
Forty-four percent of IT and cybersecurity professionals reported experiencing a cybersecurity attack in 2024.
The government was alerted to the hack on August 17 by its multi-factor authentication (MFA) provider 2Keys Corporation. According to the Secretariat, regular software updates created a vulnerability that allowed an attacker to steal phone numbers associated with CRA and ESDC accounts, as well as email addresses associated with CBSA accounts. The breach affected users who used the MFA service to access their accounts between August 3 and August 15.
The attacker then sent links in spam messages to the compromised phone numbers, which led to a phishing website that imitated the official Canadian government website. CBSA portal users who accessed their accounts via email were not affected.
The government said 2Keys has patched the software vulnerability and restored the MFA service and is investigating the breach with external cybersecurity experts. At this time, there is no indication that any additional personal or confidential information has been disclosed.
Founded in 1998, 2Keys is headquartered in Ottawa and provides digital security tools such as MFA to clients that include the Canadian government, large financial institutions, police and corporate clients. Interac acquired the company in 2019 to develop the payments processor's digital identity work. BetaKit has reached out to Interac for comment on the cyberattack.
CONNECTED: Digital identity company 2Keys acquired by Interac
Cybersecurity breaches have been on the rise in Canada in recent years, particularly as a result of phishing and ransomware attacks. According to the agency, 44% of IT and cybersecurity professionals reported experiencing a cybersecurity attack in 2024. Canadian Online Registration Authority. Some provincial agencies, e.g. Alberta Innovations And Invest Nova Scotiawere also the target of violations last year.
The federal government is still warning people using its online services to be vigilant if they receive unexpected messages purporting to be from the government.
Artistic image courtesy of Benoit Debe via Unsplash.
