Investigation into the steps the Canada Revenue Agency took to ensure the accuracy of a taxpayer’s personal information that it used to make an administrative decision about them
Complaint under the Privacy Act (the “Act”)
March 28, 2024
Description
In 2023, the OPC received a complaint from a person whose information had been used by an imposter to apply for, and receive, the Canada Emergency Response Benefit (CERB). The fraudster was also able to subsequently apply for and receive Employment Insurance benefits from Employment and Social Development Canada. As a result, the complainant received a reassessment of their taxes from the CRA indicating that they owed the Government of Canada more than $5,500.
Our investigation concluded that at the time of the incident, the CRA relied upon inadequate safeguards to protect against unauthorized access and modification to the complainant’s CRA account and therefore did not take all reasonable steps to ensure the accuracy of personal information upon which it relied to make administrative decisions, as required by section 6(2) of the Privacy Act.
The CRA has since implemented correction measures to its authentication request processes to access CRA accounts, including those received via telephone, and enhanced its security measures for high impact modifications to personal information.
Takeaways
- Safeguards used to protect against unauthorized access and modification should be commensurate with the sensitivity of the information an organization holds.
- The risk of harm to individuals stemming from identity theft is persistent and extends beyond financial impact. Associated privacy harms include the psychological distress of being victimized.
- Proper authentication is essential to confirm that the information collected is provided by the individuals themselves (or an authorized representative) to prevent malicious modification.
Report of findings
Overview
- The complainant alleges that the CRA contravened the accuracy provisions of the Act when it did not take all reasonable steps to ensure that the information used by an imposter to apply for and receive CERB benefits in the name of the complainant, was accurate.
- More specifically, the complainant explained that his CRA My Account was compromised in 2020, following which his direct deposit and contact details were changed, and then a false benefit was applied for in his name and issued to an imposter. In April 2021, the complainant received a Statement of Employment Insurance and Other Benefits (“T4A”) related to the COVID-19 Canada Emergency Response Benefit (“CERB”) due to several payments being issued in 2020 in his name.
- The complainant further alleged that because his CRA My Account was compromised, the imposter was subsequently able to fraudulently apply for and receive employment insurance (“EI”) for the 2021 calendar year from Employment and Social Development Canada (“ESDC”)Footnote 1. As a result, in 2022 the complainant received a reassessment of his 2021 taxes from the CRA indicating that he owed the Government of Canada more than $5,500.
- The CRA did not dispute that the complainant was the victim of identity theft, that there was unauthorized access to his account, and that fraudulent activity occurred as a result. As the unauthorized access and modification of the complainant’s personal information via his My Account is not in dispute, the investigation focused on the safeguards that were in place at the time of the breach (to prevent against such unauthorized access and modification), to enable us to assess whether reasonable steps were taken to ensure the accuracy of the personal information.
- It should be noted that a recently published OPC Report of Findings regarding a separate incident includes an assessment of safeguards that were in place during a different breach (but same timeframe) where there were unauthorized disclosures and modifications of personal information held by the CRA, including via My Account. While the vector of attack was different than that which impacted this complainant, we nonetheless are of the view that the assessments conducted in that investigation pertaining to identity and credential authentication are of relevance to the matter at hand.
- In light of the above and for the purposes of the current complaint, we proceeded to assess whether the CRA took all reasonable steps to protect against unauthorized modifications to the complainant’s personal information by an imposter, such that pursuant to subsection 6(2) of the Act, which states that “a government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.”
- Based on our review of the submissions of the parties, we are of the view that the CRA did not take all reasonable steps to ensure the accuracy of personal information upon which it relied to make administrative decisions about the complainant, namely that it relied upon inadequate safeguards to protect against unauthorized access and modification resulting in the fraudulent issuance of CERB benefits, in the complainant’s name, to an imposter.
- Since the incident, the CRA has implemented corrections related to the processes that were used at the time of the breach and made commitments to our Office to implement changes to prevent recurrence of similar breaches, all of which are further described in the analysis section of this report.
- Accordingly, we find the matter is well-founded and conditionally resolved.
Analysis
Issue: The CRA did not take all reasonable steps to ensure the accuracy of personal information
- Subsection 6(2) of the Act requires a government department to take all reasonable steps to ensure that personal information that is used for an administrative purpose by the department is as accurate, up-to-date and complete as possible.
- As described in the Treasury Board Directive on Privacy Practices section 4.2.15 and 4.2.16, reasonable steps to ensure accuracy include: “…collecting personal information directly from the individual… [or] [i]mplementing…measures to: (1) [e]nsure that the personal information is obtained from a reliable source; or (2) [v]erify or validate the accuracy of the personal information before use.”
- In September 2020, the complainant learned that someone he knew had received a letter from the CRA indicating that their CRA My AccountFootnote 2 had been locked and that there had been changes to their banking information. This prompted the complainant to check his own My Account on September 25, 2020, and it is then that he discovered that seven CERB payments of $2,000 had been paid out in his name. The complainant called the CRA on September 28, 2020. During that call, the CRA agent noted that there were “several” instances where direct deposit information had been updated via My Account, that seven CERB applications had been submitted and that identity theft was strongly suspected.Footnote 3
- The CRA confirmed that on May 27, 2020, a second set of credentials had been created to access the complainant’s My Account at IDPL2.Footnote 4 Following this, the imposter contacted the CRA call centre impersonating the complainant, provided sensitive personal information (of the complainant) and “passed confidentiality measures.” This completed the verificationFootnote 5 process to confirm that the individual on the line was the taxpayer, and the imposter was then immediately able to change the email address on file with the CRA agent, “and a security code was sent by email to upgrade the credential (from IDPL2 to IDPL3, the highest level of confidence) so that the individual had full access to My Account services.”Footnote 6
- Later the same day, the direct deposit information in the complainant’s My Account was changed and three CERB applications were made. Between May 28 and July 8, 2020, the direct deposit information was modified several times and four more CERB applications were submitted; six applications for CERB were made online, and one via the call center. In total, the CRA confirmed that sixFootnote 7 CERB payments were issued, totaling $12,000.
- In response to our question about whether there were triggers in place at the call centre upon the creation of a new set of credentials to access the complainant’s My Account, the CRA explained that the agent would not have asked about this since multiple credentials were allowed at that time.Footnote 8
- Our Office also asked whether a My Account holder would be notified if a change was made to an account (e.g., email), and the CRA responded in the negative.
- As mentioned in the Overview, we could not assess whether reasonable steps were taken to ensure the accuracy of the personal information without also examining the safeguards that were in place at the time of the breach to prevent against such unauthorized access and modification.
- Overall, we found that the weak security measures and lack of risk mitigation measures (e.g., lack of measures for the modification of high impact information like direct deposit information, emailing security codes to increase IDPL), coupled with previously investigated concerns related to identity and credential authentication, contributed to the identity theft and fraudulent activities that impacted the complainant.
- The recently published OPC Report of Findings includes an assessment of safeguards that were in place during a different breach, where there was unauthorized disclosures and modifications of personal information held by the CRA including via My Account. While the vector of attack was different than that which impacted this complainant, we nonetheless are of the view that the assessments conducted in that investigation pertaining to identity and credential authentication are of relevance to the matter at hand.
- Proper authentication is essential to confirm that the information collected is not from imposters, but rather provided by the individuals themselves (or an authorized representative) to prevent malicious modification. The risk of harm to an individual from unauthorized access and modification is high, and imposters can benefit from the fraud that creates these harms.
- In this case, by successfully passing the required authentication steps that the CRA had in place at the time and entering into the complainant’s My Account, the imposter was able to input inaccurate information about the complainant into the CRA system. That information was then used to make decisions about the complainant, namely, the issuance of CERB benefits in his name.
- As these matters were thoroughly examined and reported on in detail under separate cover, we will not restate the full analysis for the purpose of this report. However, it is worth noting as it remains applicable here, that we previously reported that safeguards used to protect against unauthorized access and modification should be commensurate to the sensitivity of the information that an imposter could get access to. Likewise, the information that is accessible via My Account is extensiveFootnote 9 and the complainant’s situation, as described in both the other and this report, highlights the significant and long-standing impacts to individuals, and thus the importance of preventing unauthorized access and modification to individuals’ personal information.
- In addition, we previously found that the CRA under-assessed the level of identity authentication warranted for the online services affected by that breach (including My Account), which resulted in inadequate authentication practices that did not protect against identity theft. This position applies to this case before us because the personal information, held in and modifiable through online CRA accounts, is the same voluminous and sensitive information that an imposter was able to gain access to and fraudulently use.
- As a result of the foregoing, we determined that at the time of the breach, the CRA was not taking all reasonable steps, as required by subsection 6(2), to ensure the accuracy of the personal information that they used for administrative purposes and contravened the accuracy provision of the Act.
- The CRA advised that in May 2021, following additional exchanges with the complainant, it confirmed that the complainant did not apply for the CERB and that there was unauthorized use of taxpayer information by a third-party (“UUTP”). Subsequently, the CERB payments were deleted from the complainant’s account, and he was advised to disregard the T4A statement received.
- In addition, since these incidents occurred, the CRA has implemented measures to help prevent recurrence of similar activities, including no longer providing the security code to access digital online services via email, strengthening its procedures for confirming authorization requests via telephone and adding security measures for high impact modifications to personal information, such as changes to direct deposit information.
- In the recently published Report of Findings referenced in paragraph 19, also of relevance in this matter, our Office made recommendations to the CRA with regards to altering their identity and credential assurance practices, which the CRA agreed to implement.Footnote 10 We are therefore satisfied that once the commitment to these recommendations has been fulfilled, the matter related to inadequate identity authentication will be resolved.
- Therefore, we find the matter is well-founded and conditionally resolved.
- During the course of our investigation, we also learned that on May 25, 2020, two days prior to the initial incident described earlier in the analysis, someone who appeared to be using their own credentialsFootnote 11 submitted a request (using the “Represent a Client” portal) to be an authorized representativeFootnote 12Footnote 13Footnote 14 on the complainant’s account.
- In order to do so, the individual first had to create a Representative ID (“Rep ID”); this required the imposter to provide the complainant’s name and SINFootnote 15, which then allowed them to be linked to a particular account (that of the complainant). In this case, once the Representative and the taxpayer were “matched” in the system, the imposter was granted IDPL1 – viewFootnote 16 only access.
- The CRA further indicated that on May 27, 2020, the newly authorized representative used the CRA’s Represent a Client portal to view the complainant’s personal information.
- When asked if these breaches of the complainant’s personal information were carried out by the same imposter, the CRA indicated that there was no relation between the Rep ID fraud and the creation of the second credential on the complainant’s account described above.
- However, we are of the view that these fraudulent activities – (i) an imposter viewing the complainant’s personal information via the Represent a Client portal, and (ii) an imposter successfully creating a new credential to gain unauthorized access to the complainant’s account in order to modify the personal information therein – occurring on the same day, based on a balance of probabilities, was likely carried out by the same individual.
- While the CRA was unable to confirm this was the case, it stands to reason that the imposter may have been able to (i) view a certain amount of information contained in the complainant’s My Account via the Represent a Client portal to (ii) successfully create a new credential to directly access the complainant’s My Account and (iii) subsequently upgrade their credential to have full access to the complainant’s My Account, where information such as direct deposit can be modified.
- Following the incident, the CRA implemented the “Confirm my Representative” service for all Represent a Client requests for authorization, whereby a taxpayer is required to login to their account to authorize the Representative.Footnote 17 The CRA also increased the identity proofing of representatives to IDPL3.
- Overall, we are satisfied with the measures that the CRA has already taken, and its commitment to implement the relevant recommendations in the recently published and related report will help to prevent future recurrence of similar incidents.
Other
Reassessment of taxes by the CRA because of fraudulent activity impacting the complainant’s account
- The complainant took issue with the fact that because of his compromised CRA account, he was the victim of identity theft at ESDC, and an imposter claimed and was issued over $26,000 in EI. As mentioned in the overview, the complaint against ESDC was investigated and reported under separate cover. However, the complainant argued that he continued to receive correspondence from the CRA in the matter as it related to his taxes. Based on the employment slip T4E slip dated April 25, 2022, issued by ESDC, representing benefits issued, the CRA issued a reassessment of the complainant’s 2021 taxes wherein he was advised he owed the government $5,689.81.
- Because the correspondence originated from the CRA, the complainant attempted to resolve this issue with them directly, to no avail. In a letter to the complainant on October 11, 2022, the CRA explained that the T4E was issued by the government indicating the $26,931 in benefits had been received by the complainant, and that in accordance with subsection 56(1)(a)(iv) of the Income Tax Act, it was obliged to include this amount as a part of his income for the corresponding tax year, resulting in the reassessment that the CRA had previously issued to him. The CRA advised at that time that the complainant should contact Service Canada, if he did not receive any employment benefits, to obtain a deleted or amended T4E.
- The complainant subsequently received correspondence from the CRA dated March 10, 2023, indicating that interest had been added to his amount owing, which now totaled $6,018.97. The letter further stated, “To avoid more interest charges and possible legal action against you, please pay now…”.
- When the CRA received notice of this investigation, it reached out to ESDC in the matter, on May 23, 2023. By June 5, 2023, the complainant’s T4E slips had been modified, his 2020 and 2021 tax filings had been adjusted, and he received new notices of reassessment for the 2020 and 2021 tax years.
- Nonetheless, our Office is of the view that because the CRA was aware that this taxpayer had been the victim of identity theft related to CRA systems and the CERB, the CRA should have contacted ESDC sooner after the complainant reached out indicating he had not received employment benefits, to share with ESDC the related risk of identity theft, such that ESDC could investigate the complainant’s claim of EI fraud, and the situation could have been resolved for the complainant much sooner. This is especially the case here since at the time of the incident, the CRA and ESDC had a system in place that allowed an individual who logged in via CRA My Account to freely access the corresponding ESDC account in that individual’s name, and vice versa, without any additional required authentication.
- In this regard, we encourage the CRA to consider implementing measures to address situations where taxpayer information that is accessible in another department’s system has been compromised, to prevent significant delays in addressing the matter and mitigate harm to individuals.
Notification and Privacy Breach Reporting
Notification
- We note that the complainant’s account was compromised in May 2020, that the complainant raised the matter with the CRA in September 2020, and that the agency worked with him to reverse the impact on his account by May 2021. However, he only received a notification letter (explaining the compromise and offering credit monitoring) in October 2022.
- The CRA explained that in September 2022, it began retroactively providing credit monitoring to individuals that were affected by UUTP between March 16, 2020 and July 2022.
- While we acknowledge that up until late 2020 the CRA was focusing on detecting, containing, investigating and mitigating incidents of UUTP, we are of the view that providing timely notification and mitigation measures to individuals is a crucial step in minimizing the harm to affected individuals.
- We therefore encourage the CRA to act more promptly to notify affected individuals in instances where a breach is material and could reasonably be expected to result in injury or harmFootnote 18 to those individuals.
Privacy Breach Reporting
- At the beginning of the investigation, the CRA had not yet submitted a privacy breach report regarding this matter to OPC in accordance with mandatory breach reporting obligations under the Treasury Board Secretariat (“TBS”) Directive on Privacy Practices. During the investigation, we asked the CRA if it was its intention to do so, because the unauthorized access impacted the complainant via two vectors: (i) Representative ID fraud; and (ii) CERB fraud.
- The CRA indicated that it would be completing a breach report “for the unauthorized representative access,” and that it was “preparing a privacy breach report for instances where suspected ID theft has resulted in material privacy breaches.” With specific regards to CERB fraud, the CRA explained that “not all fraud cases involve a privacy breach…”. While we accept that not all fraud cases may involve a privacy breach, we note that this particular case is an example illustrating a real risk of significant harm, such that we would have expected the CRA to submit a report.
- As of the time of this report, our Office had not received any mandatory breach reports related to this matter.
- Our Office’s Breach Response Unit will follow-up directly and under separate cover regarding these outstanding issues.
- Date modified: