5 security lapses at the Canada Revenue Agency

No organization has absolute, perfect security, but Canada's tax agency has been accused of being particularly lax in this regard in light of several recent incidents that exposed, or threatened to expose, sensitive taxpayer information. We take a look at some of the most notable breaches at the CRA.

Tax agency has had dozens of security and privacy breaches in recent years

Privacy Commissioner Jennifer Stoddart warned of 'marked weaknesses' in security at the Canada Revenue Agency in a 2013 report, including multiple cases of inappropriate accessing of taxpayer information by its own employees. (Sean Kilpatrick/Canadian Press)

No organization has absolute, perfect security. Even the CIA has let one or two things slip, over the years. But Canada's tax agency has been accused of being particularly lax in this regard in light of several recent incidents that exposed, or threatened to expose, sensitive taxpayer information.

The Canada Revenue Agency accounted for 14 per cent of security and privacy breaches across all federal government agencies between April 30 of last year and Feb. 10, according to the federal privacy commissioner. It had 30 breaches in that time, out of a total 218 among government agencies.

We take a look at some of the more notable lapses of recent years.

Heartbleed

It's not CRA's fault there was a flaw in the OpenSSL cryptography library. Roughly two-thirds of all web sites relied on the same software, and web-heads around the world were horrified to learn in April 2014 it had a weakness that could be exploited by hackers.

But critics say CRA did not move quickly enough to staunch the potential bleeding of sensitive information. The tax agency pulled the plug on its online services on April 8, the same day another government agency issued an official warning about Heartbleed, but a full week after the bug's existence was first revealed.

During a six-hour window on April 8, someone used Heartbleed to break into CRA and steal the social insurance numbers of 900 Canadians.

Bad apples

Following an audit in 2013 the federal privacy commissioner warned of "marked weaknesses" in CRA's security habits, including the inappropriate accessing of taxpayer information by its own employees. The commissioner's report indicated more than 50 such cases over a two-year period, some involving thousands of taxpayer files, motivated by a mix of "curiosity ... personal gain, preferential treatment and fraud."

Over the years, several of CRA’s roughly 40,000 employees have been caught manipulating taxpayer information for personal gain. In 2010, Kurt Fagan, a CRA worker in St. John’s, was sentenced to four years in prison for embezzling $700,000 using dozens of personal income tax accounts. Last year, three former CRA employees in the Montreal area were charged with corruption and fraud for allegedly trying to extort money from restaurant owners in return for lower tax assessments.

The CRA has attempted to addresses some of the concerns raised in the 2013 audit by setting up an internal whistleblower hotline to "safeguard the assets, resources, information and reputation of the organization from fraudulent activity and inappropriate conduct by its employees."

Return to sender

Sensitive information landed in the mailbox of a Langley, B.C., woman after she requested some paperwork about her late daughter. The package sent to Danielle Baxter also included letters addressed to five other Canadians, stapled to financial records belonging to them or their family members.

Baxter later told CBC News she had a surprisingly hard time returning the documents to CRA.

Fraudulent filing

CRA stepped up its screening of volunteers in its Community Volunteer Income Tax Program after a suspected fraudster was spotted volunteering at one of the many CRA-supported tax clinics that help low-income Canadians and others with their tax forms.

The volunteer, who had previously been charged with fraud, was seen preparing returns at a clinic late in the 2014 filing season.

New security measures are being phased in over two years and will include a mandatory police records check of all volunteers. As of 2015, volunteers must register on the CRA's website and declare they have not been convicted of tax fraud or any other criminal offence.

Each volunteer must also get their own EFILE (electronic tax filing) certificate — a process with built-in screening — rather than use the master certificate belonging to the community organization offering the clinic.

Big-name donors exposed

CBC got more than it expected following an Access to Information request last year, when CRA sent 18 pages of unrelated and highly confidential information about more than 200 prominent Canadians, including former prime minister Jean Chrétien, broadcaster Moses Znaimer, financier Stephen Bronfman and author Margaret Atwood.

The data outlined donations of manuscripts, photographs and fine art they had made to galleries and museums, and the value the tax agency attached to each. It also included each person's home address.

The breach was "extremely serious and completely unacceptable," Revenue Minister Kerry-Lynne Findlay told the House of Commons.

Atwood called it "sloppy."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.