mailing list archives
NDP urge investigation of privacy breaches at Canada Revenue Agency
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 13 Dec 2013 00:23:06 -0700
The Opposition New Democrats want an investigation of new privacy concerns
at the Canada Revenue Agency after the agency was unable to tell the NDP
just how many privacy breaches it had sustained in the last 10 years.
The agency was asked by the NDP for information on how many data,
information and privacy breaches had been recorded in each year between
2002 and 2012. Some other departments were able to provide data on privacy
breaches, with the results showing more than 3,000 recorded breaches with
almost 87 per cent of those breaches not reported to the privacy
The NDP asked CRA twice for that date, only to be told both times that the
CRA couldn’t provide any details because a search of records would be too
cumbersome and time-consuming.
The NDP asked for the number of breaches per year, the number of affected
people per breach, the number of breaches reported to the privacy
commissioner and how many breaches led to criminal activity — only to be
told this week that the agency “does not capture the information by
breach.” The agency said a “manual search of records would have to be
undertaken to extract the data.”
The NDP’s ethics critic, Charlie Angus, sent two letters this week, the
first to the privacy commissioner’s office requesting a deeper probe into
the CRA, weeks after the commissioner’s office released a critical audit of
agency practices. The second letter went to the minister in charge of the
CRA, asking her to conduct an internal investigation given the agency
apparently “did not have a proper system of quality control or checks in
In the letter to Minister of National Revenue Kerry-Lynne Findlay, Angus
argued the agency’s response to NDP questions essentially told Canadians
the CRA “did not have a proper system of quality control or checks in
place” to protect taxpayers’ sensitive personal information.
“It is concerning that the Canada Revenue Agency compels our senior
citizens to go online and do their taxes and yet you cannot guarantee them
they won’t lose their often sensitive data,” Angus wrote.
“The Canada Revenue Agency is a governmental department that handles some
of the most sensitive personal information that Canadians are compelled by
force of law to provide to the government. One would hope therefore that it
would be more advanced in data breach management — not entirely incapable
of tracking and reporting.”
A spokeswoman for Findlay didn’t say if the government would launch any
review, but that it would work closely with the privacy commissioner’s
“Our government takes the privacy of Canadians very seriously, especially
the proper handling of sensitive personal information,” Julie Carmichael
said in an email. “We will continue to work closely with the privacy
commissioner to ensure that the privacy of Canadians is protected.”
The CRA has drawn the attention of the privacy commissioner before. The
commissioner released a special audit in late November that suggested the
agency still had work to do to ensure its employees weren’t snooping around
in taxpayers’ files without anyone at the agency knowing.
The CRA has launched projects to better track which files employees access,
and to have a better password management system to ensure the person
logging in is the actual employee entitled to do so, and not an impostor.
In 2016, the agency plans better oversight of who has access to its system,
and how much access they can receive.
There was no immediate comment from Findlay’s office Wednesday.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- NDP urge investigation of privacy breaches at Canada Revenue Agency Audrey McNeil (Dec 17)