Contact information attached to user accounts for a number of federal agencies was targeted in a cyberattack last month.
In a Wednesday-morning statement, the Treasury Board of Canada Secretariat said that email addresses and phone numbers for accounts at the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and Canada Border Services Agency (CBSA) were impacted by the breach.
Forty-four percent of IT and cybersecurity professionals reported experiencing a cybersecurity attack in 2024
The government was alerted to the breach on Aug. 17 by its multi-factor authentication (MFA) provider 2Keys Corporation. According to the Secretariat, a routine software update created a vulnerability that allowed a malicious actor to steal phone numbers associated with CRA and ESDC accounts, along with email addresses linked to CBSA accounts. The breach affected users who used the MFA service to access their accounts between Aug. 3rd and Aug. 15th.
The attacker then sent links via spam text messages to compromised phone numbers, which directed to a phishing website that mimicked an official Government of Canada website. CBSA portal users who accessed their accounts through email were not affected.
The government said that 2Keys addressed the software vulnerability and restored its MFA service, and is investigating the breach alongside external cybersecurity experts. So far, there is no indication that any additional personally identifiable or sensitive information was disclosed.
Founded in 1998, Ottawa-based 2Keys provides digital security tools like MFA for clients that include the Canadian government, major financial institutions, police forces, and enterprise clients. Interac acquired the company in 2019 to build on the payment processor’s work around digital identity. BetaKit has reached out to Interac for comment on the cyberattack.
RELATED: Digital identity company 2Keys acquired by Interac
Cybersecurity breaches have been on the rise in Canada in recent years, particularly through phishing and ransomware attacks. Forty-four percent of IT and cybersecurity professionals reported experiencing a cybersecurity attack in 2024, according to the Canadian Internet Registration Authority. Some provincial agencies, like Alberta Innovates and Invest Nova Scotia, were also targeted by breaches last year.Â
The federal government is still warning people using its online services to be vigilant if they receive unexpected messages claiming to be from the government.Â
Feature image courtesy Benoit Debaix via Unsplash.