The CRA Breach and RRU - an Important Lesson

Created by Don Devenney
Aug 18, 2020
2 min read

Have you seen the news reports about the recent cyber attack on the Canada Revenue Agency?  No?  Here’s a link to the CBC report: https://www.cbc.ca/news/politics/cra-gckey-cyberattack-1.5689106


The attacks targeted the Canada Revenue Agency (CRA) and GCKey, a secure online portal that allows Canadians to access services such as employment insurance, veterans' benefits and immigration applications. The attacks come at a time when millions of Canadians have been relying on the CRA's website to apply for and access COVID-19 emergency benefits.  In total, 11,200 accounts were impacted in the attack.  Pretty scary, eh?  The question is, how did they do it? 

 The answer is they used what’s called a “credential stuffing” attack. And this is where the important lesson to be learned is.

 A “credential stuffing” attack is where the cyber criminals take long lists of login credentials, typically usernames and / or email addresses and the corresponding passwords, and then fire them at the target website until they get a login.  Where do they get these credentials?  They buy them on the “Dark Web” from other cyber criminals who have stolen them in attacks and then offer them for resale. 

 






Here's the trick.  This attack works because people re-use their passwords across two or more sites.  According to Wikipedia, one survey shows that 81% of people have re-used passwords across sites.  And that’s why credential stuffing attacks are successful.

 Is it a problem?  You bet… have a look at the following US stats:

 What does this have to do with cybersecurity at Royal Roads University?  It’s all about keeping your RRU credentials safe.  That’s why we ask you to NEVER use your RRU passphrase anywhere but at RRU.  Ever.  Please….  We don’t want your RRU credentials compromised when some other site you used it on gets hacked. 

 What can you do to minimise the chance of being victim of a credential stuffing attack?  Here’s some tips:

  • Do not use your RRU passphrase to logon anywhere else but an RRU site. 
  • Change your RRU passphrase periodically.
  • Use unique passphrases for each site you log on to.
  • Have trouble remembering passphrases?  Try a password manager.  We recommend 1Password.

 Questions? Talk to your Cybersecurity Ambassador, IT Help Desk or IT Security – we’re all happy to answer your questions.

 

How to Contact the Computer Services Department

Submit a ticket
To submit a ticket, you will be required to log in using your FULL Royal Roads email address (detailed instructions here)
New! If you do not have a full RRU email address (students not currently in a credit program and/or visitors), you can create a portal account using your personal email address.
Phone: 250-391-2659 Toll Free: 1-866-808-5429
Come visit us in the Sequoia Building
Hours of Operation