One of the large challenges of the credential stuffing attacks is that they are reusing credentials taken elsewhere and impersonating a valid Canadian. From the system's perspective, they are going through the system in a normal way; they aren't going through a back door. There were no compromises. There was a slight exploitation on the CRA system in the early phase that was addressed, but since then, all of the patterns were people impersonating other Canadians.
We were able to see them because we looked for patterns at the back end of those behaviours. For example, large amounts of failed log-ins give us a hint that someone is trying to brute-force the system. We don't see that they've broken in, but we do see that there are signs that they are trying. That allows us to do the forensic research to determine if there were any fraudulent transactions on the system.