Issue

The Canada Revenue Agency's (CRA) key role in administering COVID-19 benefits and services has provided an impetus for bad actors to exploit the CRA's systems and procedures.

Most notably, in August 2020, the Government of Canada was subject to “credential stuffing” attacks on its GCKey and CRA Login services. The CRA identified suspicious activities occurring approximately between early July and mid-August on thousands of CRA user accounts. During these events, some CRA accounts were improperly accessed, and in some cases, information was disclosed and modified by unauthorized external bad actors. The attacks used passwords and usernames (credentials) collected from previous hacks in organizations external to the Government of Canada. In response to the attacks, the Government of Canada put in place measures to prevent further attempts to access its services with these compromised credentials.

[Redacted]

Things to consider

• With the introduction of COVID-19 benefits and services, the sophistication and number of scammers posing as CRA employees increased, as well as scammers impersonating individuals to receive COVID-19 benefits.
• The CRA takes the protection of Canadians' tax information very seriously. The confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada's voluntary tax system.
• The CRA's Public opinion research noticed a decline in agreement with the statement “Confident that My Account is a secure online platform that protects personal information”, dropping from 73% agreement in 2018-2019 to 67% in 2020-2021.
• [Redacted]

Next steps

• The Federal Budget 2021 proposes to provide $330.6 million over five years, starting in 2021-22, and $51.2 million ongoing, to the CRA to invest in new technologies and tools that match the growing sophistication of cyber threats, and to ensure the CRA's workforce has the specialized skills to proactively monitor threats and better safeguard Canadians' data. The funding would go towards enhancements that would strengthen the protection of taxpayers' information from both internal and external security threats.
• The CRA is planning a number of additional mitigation measures and controls to continue closing newly identified vulnerabilities and emerging threats, such as strengthening authentication measures at CRA call centres and online portals.

Key messages

• The CRA has an in-depth defense approach to security and does not rely on any single solution. This layered approach defends CRA systems from cyber attacks. As scammers adapt their practices, so does the CRA.
• To ensure Canadians can feel confident and safe using its online services, the CRA has implemented additional security measures, including multi-factor authentication.
• However, no organization is immune to cyber incidents or fraudulent activity.
• Taxpayers who are confirmed victims of identity fraud are not held responsible for any money paid out to scammers using their identity, and are offered credit monitoring and protection services free of charge.
• The CRA will continue working to adjust and improve its security measures in response to an ever evolving threat environment and continuing intrusion attempts.

Background

The CRA has centralized the management of its overall security program to fully integrate security considerations in every step of the decision-making process.

It has reshaped its approach to account and cyber security under five pillars: Identify, Detect, Protect, Respond and Recover. As part of this strategy, the CRA has overhauled governance, reorganized programs, and introduced new programs. One such program is the Account Security Program which was introduced in 2021 in part to manage the influx of compromised accounts and provide more coordinated governance.

The CRA has strengthened its network of external partnerships with other government departments, financial institutions, and provinces and territories recognizing that security cannot be managed in isolation. These partnerships allow the CRA to better respond to events, close vulnerabilities and share intelligence and best practices to further protect personal information.