Canada Revenue Agency decides your privacy isn't important

Filed Under: Data loss, Privacy

Income Tax Creative Commons photo courtesy of alancleaver_2000's Flickr photostream

The largest data breach in the history of the Canada Revenue Agency (our version of the IRS) recently occurred here in Vancouver, but you probably didn't hear about it. Why? The CRA decided that you don't need to know.

According to SC Magazine, a tax inspector in Vancouver, British Columbia is accused of looking at hundreds of taxpayers' records in an apparent attempt to drum up business for a operation she was running on the side. She targeted individuals with a high net worth and leveraged the wealth of information she could extract from the CRA's computer systems.

The CRA discovered the breach nearly 2 years ago and upon investigation found 407 social insurance numbers (like Social Security numbers in the US) written on scraps of paper at the inspector's workstation. She had accessed the tax records for most of these accounts, but was not working on cases related to them.

The CRA said it would not be contacting the taxpayers as there was no threat to their tax details. What?? Someone accessed details of my income, job, address and more than enough information to steal my identity, but I don't need to know? I suppose I don't need to worry as I am not a "high net-worth individual," but something about this whole incident stinks.

The good news? Apparently they have strict audit and log controls to know exactly what this woman was up to. Now if only they would use this information to partner with the victims instead of sweeping the incident under the rug, we could celebrate instead of criticize.

If you handle Personally Identifiable Information (PII), the use of encryption and strict auditing is a great one-two punch for prevention and incident response. Sensitive data should always be stored in an encrypted format and only be accessible to parties with a need to know. If, like the CRA, you end up with a bad apple, at least you will know who, how, and when the information was accessed in case you need to step up and face the music. Maybe the CRA could teach the US military a few tricks.

Creative Commons image courtesy of alacleaver_2000's Flickr photostream.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.