Almost one million Canadians had their contact information stolen in a cyberattack on the federal government’s authentication system, later used in a massive phishing campaign.

According to Employment and Social Development Canada (ESDC), hackers accessed about 881,000 phone numbers tied to the Canada Revenue Agency’s MyCRA service , as well as more than 85,000 email addresses connected to Canada Border Services Agency accounts.

The breach was first revealed in early September by the Chief Information Officer, who described it as a “data security incident” involving the government’s multi-factor authentication provider. At the time, officials stressed that only email addresses and phone numbers were taken, calling it a “non-material privacy incident.”

But the scale of the theft was not

See Full Page