Revenue Canada data breach is not an isolated incident
TDS News – In February, an analysis at Revenue Canada revealed they had significant evidence that some user IDs and passwords used to access CRA accounts may have been obtained by unauthorized third parties.
“We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.” In a statement received from Revenue Canada
Over 800,000 accounts were locked out of an abundance of caution to prevent unauthorized access. Individuals impacted by the phishing scam were notified by email that their email was removed from their account on February 16.
Revenue Canada confirmed the accounts that were locked in February, and user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA.
Locking accounts in this manner is part of normal CRA operations. However, as tax season has begun, and with the recent media coverage of the email notifications some Canadians received a few weeks ago.
As a preventative measure, these additional CRA user IDs and passwords, along with those associated with locked accounts in February, will be revoked and instructions will be made available to impacted individuals on how to re-gain access to their CRA account.
It should be noted that these preventative measures are not isolated incidences and may become more frequent to safeguard taxpayers’ information.
Impacted individuals who have signed up for CRA My Account email notifications will receive an email with instructions. Otherwise, they will receive the same instructions by mail.