Skip to main content
NewslettersWatchlist
CRA’s phishing test: The latest chapter in history of security problems
security

This article was published more than 8 years ago. Some information may no longer be current.

Earlier this year, thousands of Canada Revenue Agency employees fell for a phony e-mail phishing scam, sent as an internal security exercise by the tax agency, The Globe reported Thursday. The test raises new questions about the privacy and security of Canadians’ tax data, and it comes after several high-profile security threats and other gaffes at the CRA over the past few years.

Nicolo Rizzuto is shown in 2010. (Christinne Muschi/Reuters)

The Mafia mishap

2007: The CRA mistakenly issues a refund cheque for more than $381,000 to reputed Mafia don Nicolo Rizzuto. The cheque was cancelled two weeks later after Mr. Rizzuto’s daughter alerted the agency to the mistake. In 2013, a CRA investigation found “no unethical behaviour or corruption” by CRA staff in the issuing of the cheque.

Former CRA official Adriano Furgiuele is brought in to RCMP headquarters in handcuffs on Aug. 9, 2012. (Christinne Muschi for The Globe and Mail)

Project Coche

2008-2014: Under the codename Project Coche, the RCMP investigate allegations that rogue auditors at the CRA’s Montreal office received bribes in exchange for overlooking millions in unpaid taxes and fraudulent tax credits. When it concluded last February, Project Coche had resulted in 142 charges against eight former CRA officials and seven businessmen.

Former privacy commissioner Jennifer Stoddart. (Fred Chartrand/The Canadian Press)

A warning on privacy

October, 2013: A damning report from privacy commissioner Jennifer Stoddart finds thousands of CRA files were accessed inappropriately for years. The special audit blamed weak security protocols at the agency and called for stronger measures to flag inappropriate access to files. The agency agreed with all of the commissioner’s recommendations.

The Canada Revenue Agency headquarters in Ottawa. (Sean Kilpatrick/The Canadian Press)

CRA employees fired

April, 2014: The CRA tells a House of Commons committee it had fired 14 employees, and suspended 18 others, over the past year for accessing files without authorization. The agency also told the Commons committee on Access to Information, Privacy and Ethics that more than 2,983 data breaches took place in 2013, most related to mail going to the wrong location.

The Canada Revenue Agency website is seen on a computer screen displaying information about the Heartbleed security risk. (Mark Blinch/Reuters)

Heartbleed

April, 2014: The CRA shuts down its filing system to protect against Heartbleed, a security loophole in the software protecting encrypted websites around the world. The shutdown came only weeks before the April 30 tax deadline, forcing a delay. The tax agency says about 900 social-insurance numbers were stolen during the breach. Days after the shutdown, the RCMP arrest Stephen Arthuro Solis-Reyes, a 19-year-old computer science student from London, Ont., for allegedly exploiting Heartbleed to steal CRA data.