Hackers Steal Over 880,000 Phone Numbers in Major Data Breach

More than 880,000 phone numbers and approximately 85,000 email addresses belonging to Canadians have been stolen in a significant data breach linked to federal government accounts. Hackers exploited vulnerabilities in the multi-factor authentication software used by the Canada Revenue Agency (CRA), Service Canada, and the Canada Border Services Agency (CBSA), leading to a surge of fraudulent messages sent to the affected individuals.

In a statement issued on September 9, 2023, the Chief Information Officer (CIO) of the government confirmed the “data security incident.” It was noted that only phone numbers and email addresses were compromised, categorizing the breach as a “non-material privacy incident.” This classification suggests that the stolen data is considered low-risk in terms of privacy implications.

Despite the characterization of the breach, the CIO’s office reported that the hackers used the stolen information to send spam text messages. These messages contained links to a fraudulent phishing website designed to mimic a legitimate Government of Canada portal. Victims who clicked on these links risked providing their login credentials to the criminals, potentially exposing sensitive personal information on official government sites.

The extent of the breach was revealed following inquiries by the National Post, confirming that the hackers had gained access to nearly one million phone numbers and email addresses. As a result, over 881,000 spam messages were disseminated in an attempt to collect login or financial information from unsuspecting victims.

Government Response and Investigation

The breach was attributed to a vulnerability in the multi-factor authentication software provided by 2Keys, an Interac-owned company. This software is critical for verifying the identity of users accessing CRA, ESDC, or CBSA accounts by sending a verification code via text, call, or email.

According to a spokesperson for Interac, Cillian Murphy, the company identified the unauthorized access during a routine software update in mid-August. Hackers exploited the vulnerability over a two-week period beginning August 3. Following the detection of unusual activity, Interac promptly notified the government of the security breach.

Mila Roy, a spokesperson for the Employment and Social Development Canada (ESDC), emphasized that the government had not found any evidence of fraudulent activity or compromised accounts resulting from the breach. Roy reassured the public that the information accessed did not include sensitive personal data, stating, “This information alone does not allow the unauthorized individual(s) to access Government of Canada accounts or other personal information.”

Expert Insights on Cybersecurity Risks

Cybersecurity expert Ian L. Paterson remarked that incidents like this one occur frequently worldwide. He emphasized the importance of ensuring that the hackers have been fully cut off from the system to prevent further access or exploitation. “Do bad guys still have access to the system? That’s really the thing to be concerned about,” said Paterson, who serves as CEO at Plurilock Security.

Paterson highlighted that even seemingly innocuous information, such as phone numbers and emails, can be leveraged by criminals in various ways. He advised the public to remain vigilant and adhere to basic cybersecurity practices. For instance, individuals should be cautious, as government agencies will never request sensitive information, such as tax details, via text message.

He elaborated on potential tactics used by criminals, which might include creating fake systems to solicit money or attempting to harvest user credentials. “If bad guys have one thing, they’re going to try and make the most they can from it,” Paterson warned.

As the investigation continues, the government and affected individuals remain on alert for any signs of further malicious activity stemming from this significant data breach.