If it's okay, I'm happy to respond, Mr. Chair.
The question is quite correct. The general method that we are seeing for these attacks is.... There have been data or privacy breaches at other institutions in the private sector or the financial sector in the past, where large volumes of Canadians' personal information have been stolen from those organizations.
The fraudsters obtain this information on the Internet, through back channels. The list contains usernames, passwords, often social insurance numbers, and often the personal information of Canadians like addresses. The fraudsters use that information to attempt to get into legitimate client accounts inside our systems in order to obtain benefits. In many cases, if clients use the same usernames and passwords that they do for other institutions, there may be a way for fraudsters to get in.
So that's the general nature.