Privacy
Canada Revenue Agency Faces Investigation Over Massive Data Breach
Why the Alert Is Important
This investigation into the CRA highlights the critical importance of data privacy and compliance for government agencies. With more than 30,000 privacy breaches reported, public trust and accountability are on the line, underscoring the need for strong data protection protocols.
Overview of the CRA Investigation
On October 29, 2024, Canada’s Privacy Commissioner, Philippe Dufresne, launched an investigation into the Canada Revenue Agency (CRA) in response to cyberattacks that led to over 30,000 privacy breaches, dating back to 2020. The CRA reported these incidents to the Office of the Privacy Commissioner of Canada (OPC) in May 2024, and since then, the OPC has engaged with the CRA to gain a clearer picture of the events and determine compliance with Canada’s Privacy Act. This inquiry, triggered by a formal complaint, will evaluate the CRA's adherence to mandatory breach reporting standards set forth by the Treasury Board Secretariat. Meanwhile, affected individuals are advised to safeguard their accounts by monitoring for unusual activity and updating their passwords.
Implications of the CRA Investigation
The announcement of the probe comes just days after it was revealed that this past tax season, hackers with unauthorized access to Canadians’ CRA accounts changed direct deposit statements and submitted false returns, duping the tax agency out of more than $6 million in illegitimate refunds. While the CRA sourced the confidential data used in this particular cybercrime from H&R Block, the tax preparation firm has said there is no evidence the breach came from it.
This investigation serves as a stark reminder of the responsibilities public institutions bear in protecting sensitive data. For both public and private sectors, staying ahead of compliance requirements is crucial to preventing breaches that can undermine consumer trust and attract regulatory scrutiny. Organizations handling sensitive data can benefit from resources that strengthen data protection programs, support regulatory compliance, and enable quick responses to potential risks.
While it is unclear what the source of this particular issue is, the circumstances of the most recent issue involving CRA highlight the dependencies of most organizations on partner organizations. Numerous events involving vendors along the supply chain (Solar Winds, Crowdstrike, MoveIt), have made it abundantly clear that organizations must take a systemic approach to managing cyber and privacy risks, and this extends beyond ‘vendors’ to the whole ecosystem of organizations with whom the organization shares information. Organizations must ensure these third parties safeguard the data they receive in a manner consistent with the shared data's sensitivity.
Both privacy and security assessments must underlie the agreements to evaluate the protections that the organization has in place; contract alone is never sufficient. Finally, there is a never-ending obligation to monitor and audit third parties and to have in place the tools to do so effectively, and to require that third parties have appropriate mechanisms for monitoring and identifying when there has been a data breach. In the context, ensuring prompt notification and collaboration to respond to breach is also essential. Breaches will happen, and how quickly and well a response takes place matters. The organization is always accountable for its data, regardless of whether a vendor or business partner is responsible for a breach.
These all require resources, and these will often be seen as conflicting with more exciting things like speed in processing claims, for instance. That is, until the ‘bad thing happens™”.
Data Privacy Tip:
Regularly review the security of your online accounts by updating passwords and enabling multi-factor authentication. Learn more about effective data governance and security measures with Exterro’s resource on Data Privacy Compliance.