Impersonation Following the reception of the EI-AC (something the user has), the threat agent had two piece of information required to create an account and impersonating someone else with the social insurance number information obtained on the dark web (something the user knows). The threat agent was potentially able to: • Impersonate a user and change his personal information (banking information, address, security question and answers, etc.); • Apply for Employment Insurance (when CERB wasn’t available); • Apply for Canada Emergency Response Benefit through CRA Linkages; • Change the banking information of pensioners; • Apply for Grants; • Submit Record of Employment for given social insurance numbers; • Change employers contact information.