Establishing Digital Trust: Don't Sacrifice Security for Convenience
The Canada Revenue Agency (CRA) recently acknowledged that a CRA employee accidentally sent an 18-page spreadsheet containing confidential tax information to a CBC News reporter in response to a completely unrelated query.
The data included home addresses and information on charitable donations made by prominent Canadians such as author Margaret Atwood, former prime minister Jean Chretien, film producer Robert Lantos and painter Christopher Pratt.
Charitable donations listed in the spreadsheet ranged from $5,000 for personal papers to a Rubens painting valued at $200 million.
In a statement, the CRA explained, "The document was accidentally released to the CBC through human error. When the CRA became aware of the breach, CRA officials immediately contacted the CBC to inform them of the error and retrieve the documents."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The CBC did not respond to the CRA's request to retrieve information," the CRA added. "Regrettably, the CBC chose to publicly disclose the names."
According to the statement, the CRA is currently contacting everyone affected by registered mail.
"This privacy breach is extremely serious and completely unacceptable," Revenue Minister Kerry-Lynne Findlay acknowledged in the House of Commons. "Measures are being taken to notify, support and protect individuals affected by this breach."
In a report on the breach, CBC News said breaches like these "have become almost routine."
Valerie Lawton, spokesperson for Canada's privacy commissioner, told CBC that 168 federal privacy breaches have been reported since April 1, 2014, including 22 at the Canada Revenue Agency alone.
On April 8, 2014, the CRA was forced to stop accepting online tax returns due to the Heartbleed bug, and soon after, the agency acknowledged that 900 Canadians' social insurance numbers were stolen from its website by an attacker leveraging the flaw. "We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards," CRA commissioner Andrew Treusch said at the time.
On April 9, 2014, the Office of the Privacy Commissioner of Canada discovered that a lost hard drive may have exposed 800 current and former employees' names, government ID numbers and salaries. The drive was not encrypted.
And in July 2014, Canada's Chief Information Officer acknowledged that the IT infrastructure of the National Research Council of Canada had been breached by "a highly sophisticated Chinese state-sponsored actor."
In response to the latest breach, OpenMedia.ca communications manager David Christopher said, "It’s no wonder that everyday Canadians just don’t trust the government’s reckless approach to their privacy. Canadians entrust hugely sensitive and private information to the government, and they expect that trust to be respected. It is absolutely appalling that deeply revealing financial information can be handed to a journalist by the government’s tax agency.”