CRA data breach should be the final straw

If heads don’t roll after the latest security debacle at the Canada Revenue Agency, they should.

The tax agency revealed yesterday that a spreadsheet containing detailed information on a number of high-profile Canadians, including former PM Jean Chretien, author Margaret Atwood, ex drug czar Richard Pound and media mogul Moses Znaimer, had been sent to the CBC. The 18-page file included names, home addresses, and details of donations made to Canadian museums and galleries.

In a statement released late yesterday, CRA Commissioner Andrew Treusch attributed the accidental release of the personal information to human error, and said it “constitutes a serious breach of privacy.”

The CBC said it received the file electronically in response to an Access to Information Request. In a move that surprises no one, Treusch said the agency “has launched an internal investigation into the privacy breach and its security protocols.”

A disturbing pattern

Given that the leaked spreadsheet represents the CRA’s second major security breach this year alone, the investigation is ultimately a case of too little, too late. No government agency, much less the one charged with maintaining all Canadian personal and corporate tax records, should be given a free pass when confidential data is so easily shared with anyone, let alone members of the media.

Simply calling it a human error-based accident isn’t enough, either. If the CRA had implemented proper security protocols and controls in the first place, no human employee would have ever been remotely capable of either deliberately or inadvertently leaking the material without raising serious alarms. From technology to process to people, something is seriously amiss within the CRA, and nothing short of a wholesale reboot will fix the problem.

In April, the CRA became one of the highest-profile victims of the widespread Heartbleed bug when it was forced to shut down part of its website - including its tax filing systems - at the height of tax season. The agency later admitted the Social Insurance Numbers of 900 taxpayers had stolen by an online intruder during an approximately six-hour window before the site was taken offline. Stephen Arthuro Solis-Reyes, a Western University student from London, Ontario, was charged with one count of unauthorized use of a computer and one count of mischief in relation to data.

In government we trust?

The CRA’s latest security misstep reinforces growing sentiment among Canadians that the government isn’t doing enough to keep the wrong people from gaining access to their data.

“If famous Canadians can have their sensitive information leaked by the government then we all have reason to worry,” OpenMedia.ca communications manager David Christopher said in a statement. “It’s no wonder that everyday Canadians just don’t trust the government’s reckless approach to their privacy.”

In his Annual Report to Parliament, Privacy Commissioner Daniel Therrien reported last month that breaches across all federal government agencies had doubled - to 228 - over the previous year. That’s the third straight year of increases, with human error now accounting for just over two-thirds of all reported cases. Privacy Commissioner data further shows federal agencies and departments have reported 168 data breaches since April 1. Of those, the CRA almost tops the list, with 22 reported incidents.

Last year, the Privacy Commissioner’s office reported a number of federal departments fell short on security, tracking and reporting. Citizenship and Immigration, the Correctional Service, the Parole Board, Passport Canada, the RCMP and Veterans Affairs were cited for “systematic issues in safeguard and security protocols.”

The CRA was unable to comply with commissioner requests for data, which in the wake of this week’s incident seems prescient.

“This latest revelation underlines a systemic problem when it comes to the government’s terrible track record on privacy,” Christopher said. “Canadians need strong privacy safeguards, including tough penalties and accountability to stop privacy breaches like this.”

The government non-response to security breaches stands in marked response to retailers like Target, whose stock was hammered in the wake of one of the largest data losses in history. Unlike Target, whose CEO fell on his sword and resigned, the CRA’s business-as-usual response suggests no leadership change is in the works. Which is unfortunate, because accountability is what Canadians deserve from their tax agency and other government agencies. And based on this year’s track record alone, accountability is the last thing on the federal government’s data security agenda.