The federal government says individuals’ email addresses and phone numbers linked to Canada Revenue Agency, Employment and Social Development Canada and Canada Border Services Agency accounts were accessed in a cyberattack.
The Treasury Board of Canada Secretariat says the government was alerted to the incident on Aug. 17 by 2Keys Corporation, the provider of a multi-factor authentication application used for the accounts.
The government says 2Keys discovered the breach, promptly informed authorities and launched an investigation, which is being conducted with external cybersecurity experts.
Treasury Board says a routine software update caused a “vulnerability” that allowed a malicious actor to access phone numbers associated with CRA and ESDC accounts and email addresses linked to CBSA accounts for people who used the authentication service between Aug. 3 and Aug. 15.
The government says the actor sent spam text messages to some of the phone numbers with a link to a website designed to look like a Government of Canada site.
Treasury Board says the multi-factor authentication service has been restored and there is no indication that any additional identifiable personal information or sensitive data was disclosed.