OPC says Canadian agencies needed better authentication tools to prevent breach

Canada’s privacy chief says weak digital identity authentication and poor interdepartmental communication is to blame for a 2020 data breach that saw the financial, banking, and employment information of almost 50,000 Canadians stolen from the systems of Employment and Social Development Canada (ESDC) and the Canada Revenue Agency (CRA).

A newly submitted report to Parliament, which summarizes the results of an investigation by the Office of Privacy Commissioner of Canada, says that both organizations failed to implement the appropriate level of identity authentication given the sensitive nature of the personal data they hold, having only single-factor authentication tools in place. The report also admonishes ESDC and CRA for their detection and containment efforts, which it says failed in part because of lackluster testing and a lack of accountability and data sharing between departments.

Previously stolen ID data used for “credential stuffing”

The flimsy ID authentication system allowed hackers (or their bots) to enter digital portals and access individuals’ accounts through a tactic called credential stuffing – using ID credentials stolen in previous breaches to log in and manipulate accounts for the purpose of redirecting government payments such as tax refunds and Covid-19 benefits. Per the report, “this attack technique leverages individuals’ tendency to reuse usernames and passwords.” Attacks targeted the CRA’s sign-in portal and the Government of Canada’s centralized “GCKey” authentication service, which ESDC uses, as infiltration points.

“Both ESDC and CRA under-assessed the level of identity authentication warranted,” says the report, formally entitled Special Report to Parliament: Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks. Furthermore, “both had inadequately informed and accountable security decision-making prior to the breach, due to a siloed approach to interdepartmental accountability and information sharing as well as inadequate assessments and testing of security.”

“Finally, both departments lacked adequate monitoring, supported by effective interdepartmental coordination, to detect and promptly contain the ongoing breach.”

The privacy commissioner says that ESDC and CRA contravened the section 8 disclosure provisions of the Privacy Act, which specifies that a department must not disclose personal information under its control except in exceptional circumstances.

Recommendations lead to change

The report’s findings – weak or outdated authentication security, misalignment across departments and systems, inadequate monitoring of credential management systems – are familiar flags to those in the biometrics and digital authentication space. The CRA and ESDC have agreed to address the issues by implementing recommendations from the privacy commissioner, which include “improving communications and decision-making frameworks to facilitate the implementation of efficient safeguards against future attacks and rapid response to privacy breaches, as well as conducting regular security assessments.”Specifically, the two recommendations suggest that the departments collaborate with relevant partners and subcontractors to “develop clear processes to ensure that they are comprehensively and quickly informed of evolving threats and vulnerabilities that affect safeguards they rely on,” and that they conduct internal assessments annually and external assessments every two years.

Article Topics

biometric authentication  |  Canada  |  cybersecurity  |  data privacy  |  digital identity