$8.76 million CRA settlement exposes why basic security remains optional at most organizations
The federal government settled a six-year legal battle over credential-stuffing attacks on Canada Revenue Agency accounts for $8.76 million. The case closes one lawsuit, but it highlights a security problem that artificial intelligence is about to make significantly worse.
The attackers never used sophisticated exploits or zero-day vulnerabilities. They reused usernames and passwords stolen from earlier breaches on other websites, then ran them in bulk against CRA's My Account portal and other federal services. It worked because millions of people reuse passwords across multiple sites.
Jack Brooks, virtual Chief Information Officer at BOXX Insurance, said the first lesson is straightforward: "Cyber attacks don't need to be sophisticated to be quite devastating."
Passwords should be treated as already compromised
The attackers combined reused credentials with personal information from previous data exposures to break into accounts. Many victims then had pandemic benefits like CERB and CESB fraudulently applied in their names.
Neal Jardine, chief cyber intelligence and claims officer at BOXX Insurance, said organizations need to stop assuming passwords remain private. "Credentials should be treated as inherently exposed, and security models must be built around layered identity verification, behavioral monitoring, and resilience, not trust in a password alone," he said.
The CRA systems placed too much weight on passwords alone. Once attackers began testing credentials at scale, few roadblocks slowed them down.
"What makes incidents like this concerning is not the sophistication of the attack, but the scalability of it," Jardine said. "Credential stuffing has existed for years, but AI and automation are dramatically increasing the speed, precision, and volume at which attackers can operationalize stolen data."
Multi-factor authentication remains optional where it should be mandatory
Both experts stressed that multi-factor authentication and other secondary checks should be baseline security, not optional features. In CRA's case, additional safeguards existed but were largely optional for users.
Brooks said this pattern appears across industries. "MFA is no longer optional," he said. "When these sorts of events happen, they can be quite devastating for your client and the trust that they place in your business."
The concern extends beyond government portals. Social media platforms that don't require multi-factor authentication become treasure troves for social engineering. Public profiles provide criminals with clues about a person's life that can later help bypass verification steps on more sensitive accounts.
AI is turning old breaches into continuously reusable attack surfaces
The CRA attacks occurred in 2020 using relatively basic methods. The environment has changed dramatically since.
Jardine said the modern cyber attack increasingly involves aggregating and mining the vast troves of personal data spilled in breaches over the past decade. AI is becoming a significant force multiplier in that process.
"AI is changing the economics of cybercrime," he said. "What once required significant manual effort can now be automated at scale, allowing threat actors to aggregate breached datasets, correlate identities across platforms, and rapidly identify the most exploitable individuals, businesses, and access points."
Historical data breaches never truly disappear. AI is making years of leaked information significantly easier to weaponize.
What organizations should do now
For insurance professionals managing risk and claims, the lessons are direct. Organizations should assume passwords are already compromised. They should enforce layered defenses. Multi-factor authentication and rate-limiting on login attempts should be non-negotiable.
For policymakers, the case suggests raising the minimum bar for how public bodies handle identity data and authenticate citizens.
Jardine said the broader issue is that cybercriminals operate in an environment where enormous volumes of historical data already circulate online. AI is making that information significantly easier to weaponize. The focus now should be on absorbing lessons, not apportioning blame.
For more on how AI is changing threat detection and prevention, see AI for Cybersecurity Analysts and AI for Insurance.
Your membership also unlocks:
