Technology & Science

CRA locks online accounts amid investigation, leaving users worried

More than 100,000 accounts affected, but federal agency says it was not hacked

Posted: February 17, 2021
Last Updated: February 17, 2021

An unknown number of taxpayers have been locked out of their online accounts with the Canada Revenue Agency. (Graham Hughes/The Canadian Press)

The Canada Revenue Agency has locked more than 100,000 taxpayers out of its online platform, telling users their email addresses have been removed from their accounts.

Dozens of users took to social media on Tuesday and Wednesday to report encountering the same "error 021" on their accounts. Several said they spent hours waiting on CRA's helpline to get their accounts unlocked, but either received little information or no response at all. The issue was first reported by the Daily Hive website.

"After being on hold for nearly three hours, the phone disconnected," one user, Jason Bell, wrote to CBC News. "My only emotion right now is worry. Worry that my account, finances or identity have been tampered with."

ADVERTISEMENT

Late Wednesday afternoon, the CRA said it had not been the target of a cyberattack, but that affected users may have been involved in separate data breaches. They're believed to have been using the same login information for both the agency's website and other online services, the CRA said in a statement to CBC News. 

"An internal analysis revealed evidence that some account credentials (i.e. user IDs and passwords) may have been compromised, and may be available for use by unauthorized individuals," CRA spokesperson Christopher Doody said in an email.

In the event of data breaches, personal information — such as usernames and passwords — is often made available on seedy corners of the internet, such as the dark web.

Earlier, users had been left with few details about the reason they'd been suddenly locked out, with the CRA only describing the move as "a security precaution in the context of ongoing investigative work."

CRA's move was "painful, but smart," according to David Shipley, CEO of the cyberfirm Beauceron Security.

ADVERTISEMENT

"Using breached lists to warn users is increasingly something we see in password managers and browsers," he said in a tweet.

Some taxpayers, however, questioned the agency's lack of communication.

"They could have handled it better instead of having all these people panic thinking they HAVE been breached and spending a whole day calling only to be disconnected each time," Carolyn Azar said in an email to a reporter.

Doody, the CRA representative, said "we took swift action to lock the accounts and are in the process of contacting the legitimate account holders to unlock their accounts." He previously said affected users would receive information in the mail about how to regain access online.

"There is no urgent need for taxpayers to contact us imminently unless they are an emergency benefit applicant and have active applications in our system," Doody said.

ADVERTISEMENT

"We will prioritize these calls to minimize delays in the delivery of these crucially important emergency benefits."

CRA said earlier this month it had hired additional call centre agents for what promises to be an exceptionally busy tax season amid the pandemic.

When a reporter dialled a CRA helpline on Tuesday night, he was told to call back later "due to high demand." A recording said "all of our agents are currently busy and our agent queues are full."

The CRA said it has bolstered cybersecurity measures since data breaches last year affected thousands of taxpayers.