5 security lapses at the Canada Revenue Agency
Tax agency has had dozens of security and privacy breaches in recent years
No organization has absolute, perfect security. Even the CIA has let one or two things slip, over the years. But Canada's tax agency has been accused of being particularly lax in this regard in light of several recent incidents that exposed, or threatened to expose, sensitive taxpayer information.
The Canada Revenue Agency accounted for 14 per cent of security and privacy breaches across all federal government agencies between April 30 of last year and Feb. 10, according to the federal privacy commissioner. It had 30 breaches in that time, out of a total 218 among government agencies.
We take a look at some of the more notable lapses of recent years.
Heartbleed
It's not CRA's fault there was a flaw in the OpenSSL cryptography library. Roughly two-thirds of all web sites relied on the same software, and web-heads around the world were horrified to learn in April 2014 it had a weakness that could be exploited by hackers.
But critics say CRA did not move quickly enough to staunch the potential bleeding of sensitive information. The tax agency pulled the plug on its online services on April 8, the same day another government agency issued an official warning about Heartbleed, but a full week after the bug's existence was first revealed.
During a six-hour window on April 8, someone used Heartbleed to break into CRA and steal the social insurance numbers of 900 Canadians.
Bad apples
Following an audit in 2013 the federal privacy commissioner warned of "marked weaknesses" in CRA's security habits, including the inappropriate accessing of taxpayer information by its own employees. The commissioner's report indicated more than 50 such cases over a two-year period, some involving thousands of taxpayer files, motivated by a mix of "curiosity ... personal gain, preferential treatment and fraud."
Over the years, several of CRA’s roughly 40,000 employees have been caught manipulating taxpayer information for personal gain. In 2010, Kurt Fagan, a CRA worker in St. John’s, was sentenced to four years in prison for embezzling $700,000 using dozens of personal income tax accounts. Last year, three former CRA employees in the Montreal area were charged with corruption and fraud for allegedly trying to extort money from restaurant owners in return for lower tax assessments.
The CRA has attempted to addresses some of the concerns raised in the 2013 audit by setting up an internal whistleblower hotline to "safeguard the assets, resources, information and reputation of the organization from fraudulent activity and inappropriate conduct by its employees."
Return to sender
Sensitive information landed in the mailbox of a Langley, B.C., woman after she requested some paperwork about her late daughter. The package sent to Danielle Baxter also included letters addressed to five other Canadians, stapled to financial records belonging to them or their family members.
Baxter later told CBC News she had a surprisingly hard time returning the documents to CRA.
Fraudulent filing
CRA stepped up its screening of volunteers in its Community Volunteer Income Tax Program after a suspected fraudster was spotted volunteering at one of the many CRA-supported tax clinics that help low-income Canadians and others with their tax forms.
The volunteer, who had previously been charged with fraud, was seen preparing returns at a clinic late in the 2014 filing season.
New security measures are being phased in over two years and will include a mandatory police records check of all volunteers. As of 2015, volunteers must register on the CRA's website and declare they have not been convicted of tax fraud or any other criminal offence.
Each volunteer must also get their own EFILE (electronic tax filing) certificate — a process with built-in screening — rather than use the master certificate belonging to the community organization offering the clinic.
Big-name donors exposed
CBC got more than it expected following an Access to Information request last year, when CRA sent 18 pages of unrelated and highly confidential information about more than 200 prominent Canadians, including former prime minister Jean Chrétien, broadcaster Moses Znaimer, financier Stephen Bronfman and author Margaret Atwood.
The data outlined donations of manuscripts, photographs and fine art they had made to galleries and museums, and the value the tax agency attached to each. It also included each person's home address.
The breach was "extremely serious and completely unacceptable," Revenue Minister Kerry-Lynne Findlay told the House of Commons.
Atwood called it "sloppy."