The Canada Revenue Agency has been hit with over 42,000 individual breaches since 2020, according to a special report tabled in parliament by Canada’s privacy commissioner last week.
The report, which is based on the commissioner’s recent investigation into the agency’s security measures, revealed gaps in the CRA’s breach prevention, monitoring, detection, remediation, and governance processes. The commissioner indicated that the CRA was unable to provide the details of all confirmed and reported breaches due to tracking system restrictions, volume, and inadequate resources.
Moreover, the agency failed to implement required multi-factor authentication in a timely manner. Once implemented, the CRA did not consistently rely on the robust methods regarded as industry best practices.
The CRA also failed to adequately explain how attackers overcame authentication processes and accessed or modified personal information without authorization, opening the window for bad actors to redirect or make false requests for government benefits. This leads to financial loss for legitimate taxpayers.
“The Canada Revenue Agency holds highly sensitive and valuable personal information of Canadians, which can make it an attractive target for bad actors. Prioritizing privacy is essential to ensure that appropriately strong safeguards are used in a coordinated, proactive way to prevent breaches and to maintain the trust of Canadians,” privacy commissioner Philippe Dufresne said in a statement.
The commissioner presented nine recommendations to the CRA – eight were accepted in full and one in part. The agency pledged to enhance its tracking and reporting processes for individual breaches and to set a process to determine the effectiveness of safeguards against breaches.
The CRA also implemented one-time passcodes to improve its multi-factor authentication system.
“I am encouraged by the changes that the CRA has already implemented and has committed to implement over the coming months as it continues to address its privacy and data protection practices,” Dufresne said.
The OPC last investigated the CRA and Employment and Social Development Canada in 2024. The privacy commissioner acknowledged that the CRA had adopted measures to bolster its security stance but indicated that it could improve further.