OTTAWA — The federal government has confirmed that a cyberattack compromised email addresses and phone numbers linked to accounts at the Canada Revenue Agency, Employment and Social Development Canada, and Canada Border Services Agency. The Treasury Board of Canada Secretariat reported that the incident was detected on August 17 by 2Keys Corporation, which provides a multi-factor authentication application for these accounts.

According to the government, 2Keys Corporation identified the breach and promptly notified officials. An investigation is currently underway, involving external cybersecurity experts. The Treasury Board indicated that a routine software update created a vulnerability, allowing unauthorized access to phone numbers associated with CRA and ESDC accounts, as well as email addresses linked to CBSA accounts. This breach affected individuals who utilized the authentication service between August 3 and August 15.

The government noted that the malicious actor sent spam text messages to some of the compromised phone numbers. These messages contained links to a website that was designed to mimic a Government of Canada site. Fortunately, the Treasury Board stated that the multi-factor authentication service has since been restored. There is currently no evidence suggesting that any additional identifiable personal information or sensitive data was exposed during the incident.