[BreachExchange] Tax worker fired after biggest privacy breach at Revenue Canada

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 22 19:09:45 EDT 2017


The Canada Revenue Agency has fired an employee for the biggest single
privacy breach ever detected involving confidential taxpayer accounts.

The employee improperly accessed the accounts of 38 taxpayers in detail,
and briefly accessed another 1,264 accounts using a search function to find
surnames and postal codes.

The incident happened in an agency office in the Prairie region before
March 23, 2016, when an investigation was launched, says an internal report.

"No changes were made to any of the accounts," says the document, obtained
by CBC News under the Access to Information Act.

"The type of personal information included: name, contact information,
social insurance number, income and deductions, and employment information.
… Law enforcement will not be notified."

The document does not identify the worker or the precise date and location
of the breach.

A spokesman for the CRA acknowledged the incident, but played down the

"This represents the largest such breach at the CRA when measured by
numbers of accounts," Patrick Samson said in an email.

"However, it's important to note that these (1,264) accounts were viewed
for approximately two seconds per account. … The employee in question was
terminated for their actions."

The internal investigation into the breach concluded Nov. 16, 2016, with a
decision to notify the 38 individuals that their accounts had been
improperly scrutinized.

'Possibility of media attention'

"Regional management has indicated that there is a possibility of media
attention," says the report to the office of the federal privacy
commissioner, which is mandatory when there is a material privacy breach.

The disclosure follows the CRA's acknowledgment in February that one of its
couriers lost a DVD containing the confidential tax information of 28,000
taxpayers in Yukon — about three-quarters of the entire population in the

The information — referring to the 2014 filing year, and destined for the
territorial government — was encrypted and organized in a way to resist
unauthorized access.

"At this time, we have not been made aware that the data has been accessed
or used in any way," said Samson. "There is no evidence in this instance
that the personal information on the DVD has been compromised."

"The investigation is still ongoing in this case and no charges have been

The CRA reported nine material privacy breaches in the year that ended
March 31, eight of which involved employees improperly accessing taxpayer
information. All the workers involved were fired, said Samson.

The CRA has come under scrutiny for lax controls. Canada's privacy
commissioner investigated the problem in 2009 and 2013, and the agency is
typically among the top five privacy offenders of some 240 federal
institutions subject to the Privacy Act.

Snooping workers

Unlike in other departments, the culprits are usually snooping employees
rather than inadvertent breaches such as lost memory sticks. About 40,000
people work for the agency.

CBC News has obtained details of other previously unreported incidents
through the Access to Information Act, including one in the Ontario region
last June in which a worker improperly accessed 11 accounts, changing two
of them; and another Ontario incident, where an employee got into 25
accounts, disclosing information about six of them outside the agency.

On March 31, the CRA completed a $10.2-million technology project that it
says will more closely check on worker snooping. The system "will monitor
employee accesses to taxpayer information and will flag accesses that
appear inconsistent with the employees' assigned workloads or duties," said

He added that the annual number of CRA-reported breaches has been falling,
from 34 in 2014 to 27 in 2015 and to 10 since Jan. 1, 2016.

Among the 2014 incidents was one in which a mailroom mix-up sent a CD full
of confidential taxpayer information to CBC News, including personal
information about more than 1,000 people, many of them celebrities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170522/a169f7f7/attachment.html>

More information about the BreachExchange mailing list