Eight hundred thousand taxpayers remain locked out of their Canada Revenue Agency accounts as the department wrestles with the discovery that a person or group has unauthorized knowledge of login credentials.
After discovering the threat initially in February and locking out 100,000 people, the CRA on March 13 revoked hundreds of thousands more user IDs and passwords which had not been reset to prevent further potential risks to those accounts.
Those locked out will get instructions by mail or email on how to regain access to their accounts.
The agency declined a request for an interview, instead referring to a statement issued this week that indicated the problem was not due to a breach of CRA security controls. Credentials may have been obtained through email phishing schemes or third-party data breaches, the agency suggested.
It’s not uncommon for hackers to try to use stolen credentials to access bank or government accounts in Canada, the U.S. and other countries, particularly at this time of year when people are filing taxes and governments are issuing rebate cheques.
According to CBC News, more than 100,000 people were affected by the first lockout.
But in the weeks after, more user IDs and passwords were made available to unauthorized individuals. Again, the CRA said the credentials might have been obtained outside of the agency’s environment. The existing IDs and passwords for these accounts have also been revoked.
The CRA said the total number of accounts impacted is roughly 800,000.
Affected taxpayers have been notified either by regular mail or email to regain access by going to the CRA login page and creating a new CRA user ID and password or using a different login method. An individual can have more than one login method associated with their CRA account. If a user ID and password is revoked, it doesn’t mean other login methods can’t be used.
Seeking clarity
At press time CRA hadn’t responded to a request to explain how the agency realized that some credentials used to access CRA accounts might have been obtained by unauthorized third-parties.
Impacted individuals can still file their income tax returns online using NETFILE certified software. They can also apply for emergency benefits once a different login method is used or by going to the CRA login page to create a new CRA user ID and password.
Taxpayers should do the following to prevent unauthorized access and use of online CRA accounts:
- Create a personal identification number (PIN) in My Account to confirm their identity on future calls with the CRA.
- Sign-up for e-mail notifications, a service that notifies Canadians by email if their address or direct deposit information has been changed on their CRA account.
- Monitor their account regularly for suspicious activities such as unsolicited changes to address or direct deposit information, or benefit applications made on their behalf.
- Make sure their personal and business information is up to date.
- Install software to remove all malware from computers and devices to ensure user IDs and passwords remain protected.