Overview

• The Treasury Board said it was alerted on August 17 by 2Keys Corporation to a cyber incident affecting its multi‑factor authentication interface used by CRA, ESDC and CBSA accounts.
• A routine software update introduced a vulnerability that exposed phone numbers for CRA and ESDC users and email addresses for CBSA users who used the service between August 3 and 15.
• Some of the accessed phone numbers received spam texts linking to a fraudulent website designed to mimic a Government of Canada page.
• 2Keys patched the flaw and restored the authentication service, and an investigation with external cybersecurity experts has found no indication of additional personal or sensitive data being taken.
• The government urged users to practice cyber hygiene, including forwarding spam texts to 7726 and reporting suspected fraud to the Canadian Anti‑Fraud Centre.