Theresa Alemany says she returned from a weekend of camping in early August to find emails from the Canada Revenue Agency (CRA).
The notices said her email address had been removed and the direct deposit information for her taxes and child tax benefits had been changed to a bank in Quebec.
“I don’t have a TD account and I definitely don’t live in Montreal,” said Alemany.
Alemany had become one of over 5,600 Canadians whose CRA accounts had been hacked.
Fraudsters were able to exploit a vulnerability in the Government of Canada website to take advantage of login credentials exposed through previous hacks to conduct a series of cyberattacks.
The attacks come at a time when millions of Canadians have been relying on the CRA’s website to apply for and access COVID-19 emergency benefits.
Those who accessed Alemany’s account also applied for two months of the Canadian Emergency Response Benefit under her name.
“The big thing for me is they have access to all of my past tax records, which on those tax records have my social insurance number so that’s the scary part for me,” she said.
The federal government said Monday the cyberattack has been contained and the website should be back up for Canadians in a few days.
“There was a vulnerability that was exploited, it was discovered and it was patched and it no longer is a vulnerability on our systems,” said Marc Brouillard, Chief Information Officer for the Government of Canada.
“The government needs to do a lot better job of securing that website,” said Alemany’s husband Chris. “It’s a violation when someone has accessed your information.”
“You shouldn’t be able to just change your bank account and get an email and it be done,” said Theresa Alemany. “It was as simple as that for them.”
She’s also upset that nearly two weeks went by after her account was hacked before the government shut down the website.