Agency says $10.2M computer upgrade will catch snooping employees
The Canada Revenue Agency has fired an employee for the biggest single privacy breach ever detected involving confidential taxpayer accounts.
The employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes.
The incident happened in an agency office in the Prairie region before March 23, 2016, when an investigation was launched, says an internal report.
“No changes were made to any of the accounts,” says the document, obtained by CBC News under the Access to Information Act.
“The type of personal information included: name, contact information, social insurance number, income and deductions, and employment information. … Law enforcement will not be notified.”
The document does not identify the worker or the precise date and location of the breach.
A spokesman for the CRA acknowledged the incident, but played down the impact.
“This represents the largest such breach at the CRA when measured by numbers of accounts,” Patrick Samson said in an email.
“However, it’s important to note that these (1,264) accounts were viewed for approximately two seconds per account. … The employee in question was terminated for their actions.”
The internal investigation into the breach concluded Nov. 16, 2016, with a decision to notify the 38 individuals that their accounts had been improperly scrutinized.
‘Possibility of media attention’
“Regional management has indicated that there is a possibility of media attention,” says the report to the office of the federal privacy commissioner, which is mandatory when there is a material privacy breach.
The disclosure follows the CRA’s acknowledgment in February that one of its couriers lost a DVD containing the confidential tax information of 28,000 taxpayers in Yukon — about three-quarters of the entire population in the territory.
‘The investigation is still ongoing in this case and no charges have been laid.’– CRA spokesman on loss of 28,000-name DVD
The information — referring to the 2014 filing year, and destined for the territorial government — was encrypted and organized in a way to resist unauthorized access.
“At this time, we have not been made aware that the data has been accessed or used in any way,” said Samson. “There is no evidence in this instance that the personal information on the DVD has been compromised.”
“The investigation is still ongoing in this case and no charges have been laid.”
The CRA reported nine material privacy breaches in the year that ended March 31, eight of which involved employees improperly accessing taxpayer information. All the workers involved were fired, said Samson.
The CRA has come under scrutiny for lax controls. Canada’s privacy commissioner investigated the problem in 2009 and 2013, and the agency is typically among the top five privacy offenders of some 240 federal institutions subject to the Privacy Act.
Unlike in other departments, the culprits are usually snooping employees rather than inadvertent breaches such as lost memory sticks. About 40,000 people work for the agency.
CBC News has obtained details of other previously unreported incidents through the Access to Information Act, including one in the Ontario region last June in which a worker improperly accessed 11 accounts, changing two of them; and another Ontario incident, where an employee got into 25 accounts, disclosing information about six of them outside the agency.
On March 31, the CRA completed a $10.2-million technology project that it says will more closely check on worker snooping. The system “will monitor employee accesses to taxpayer information and will flag accesses that appear inconsistent with the employees’ assigned workloads or duties,” said Samson.
He added that the annual number of CRA-reported breaches has been falling, from 34 in 2014 to 27 in 2015 and to 10 since Jan. 1, 2016.
Among the 2014 incidents was one in which a mailroom mix-up sent a CD full of confidential taxpayer information to CBC News, including personal information about more than 1,000 people, many of them celebrities.