Update 02/19/2021 at 9:52am: The CRA reportedly locked the accounts of more than 100,000 users of its online service, according to the National Post. The move came after the agency detected leaked login information on the dark web. The login information could have lead to data breaches.
The agency told the National Post that this means its new early cyber security issue detection system is working properly. That said, the CRA acknowledge the communication strategy needs work. It will review the process and “regrets the inconvenience.”
If your CRA account was locked, there’s a good chance your login data was compromised through a third-party breach. That could mean you used the same password across multiple online services — if one service was compromised, anything sharing a password with it, such as your CRA account, could also be compromised. The CRA stressed that locking accounts was a preventative measure and that CRA accounts haven’t been breached.
Update 02/17/2021 at 5:32pm: A CRA media representative provided more detail to MobileSyrup regarding the ongoing account issue. To start, the CRA says that the alert sent out on February 16th was specifically related to email addresses associated with some accounts.
“Taxpayers may have received a notification from the CRA indicating that their email address has been removed from their account,” said the CRA.
The CRA stressed that these accounts weren’t impacted by a cyber attack, nor have they been compromised. Instead, the action taken was a “preventative measure” to protect taxpayer information after an internal analysis found some account credentials may have been compromised:
“In this particular case, an internal analysis revealed evidence that some account credentials (i.e. user IDs and passwords) may have been compromised, and may be available for use by unauthorized individuals. These credentials were not compromised as a result of a breach of CRA’s systems. Rather, they have been obtained through a variety of means by sources external to the CRA. As a precautionary security measure and to prevent unauthorized access to these accounts, we took swift action to lock the accounts and are in the process of contacting the legitimate account holders to unlock their accounts.”
The CRA says that it’s working with impacted individuals to “re-establish credentials and unlock their accounts.”
Further, there is “no urgent need for taxpayers to contact [the CRA] unless they are an emergency benefit applicant and have active applications in our system,” says the CRA. The CRA will prioritize those calls to minimize delays in delivering emergency benefits.
The Canada Revenue Agency (CRA) locked people out of online accounts, saying that the move was meant “as a security precaution.”
As reported by CBC News, the CRA locked an unknown number of people out of online CRA accounts. The agency informed some users that it removed their emails from their accounts. Further, many users used social media to report issues, pointing out an ‘error 021’ showing up on their accounts. The Daily Hive first reported the CRA account locking.
Others spent hours waiting on the CRA’s helpline to get their accounts unlocked.
“Due to technical problems, we are unable to transfer your call to an agent. Please call back later.” Beep, beep, beep. Click. pic.twitter.com/TNPDrm5CTw
— Tamara Cherry (she/her) (@tamaracherry) February 17, 2021
A CRA spokesperson told CBC News that taxpayers who registered for online account alerts “may receive a notification from the CRA indicating that their email address has been removed from their account.”
Further, CRA media relations representative Christopher Doody told the CBC in an email that the CRA locked accounts “as a security precaution in the context of ongoing investigative work, and is not due to a cyber security breach of CRA systems.”
Finally, Doody explained that impacted users would receive a letter in the mail with instructions on unlocking their accounts. However, he did not clarify the nature of the investigation or explain why the CRA locked so many accounts.
To make the incident worse, it remains unclear whether people will be able to access subsidies while their accounts remain locked. CBC News pointed out that when CRA accounts were breached last year, the agency temporarily stopped sending benefits and credit payments to impacted users. The CRA hasn’t yet said whether it will do the same in this situation.