CRA closes taxpayer accounts after discovering unauthorized use of credentials

Eight hundred taxpayers remain out of their Canada Revenue Agency accounts as the department wrestles with the discovery that an individual or group has unauthorized knowledge of login credentials.

The CRA revoked hundreds of thousands of more user IDs and passwords on March 13, after the threat was initially detected in February and closed to 100,000 people, which were not reset to prevent potential threats to those accounts.

Those who are outside will receive instructions by mail or email how to access their accounts.

The agency declined a request for an interview, instead citing a statement released this week that indicated the CRA was not the problem due to a breach of security controls. Credentials can be obtained through email phishing schemes or third-party data breaches suggested by the agency.

Canada, US for hackers And in other countries it is not uncommon to try to use stolen credit to access bank or government accounts, especially at the time of year when people are filing taxes and the government is issuing rebate checks.

According to CBC News, more than 100,000 people were affected by the first lockout.

But in later weeks, more user IDs and passwords were made available to unauthorized individuals. Again, the CRA stated that credentials can be obtained outside the agency's environment. Existing IDs and passwords for these accounts have also been revoked.

The CRA stated that the total number of affected accounts is about 800,000.

Affected taxpayers have been notified either by regular mail or email to visit the CRA login page and create a new CRA user ID and password, or to use a different login method. An individual may have more than one login method associated with his CRA account. If a user ID and password are revoked, it does not mean that other login methods cannot be used.

Seek clarity

At press time the CRA did not respond to a request to explain how the agency came to know that certain credentials used to access CRA accounts could be obtained by unauthorized third-parties.

Affected individuals can still file their income tax returns online using Network Certified software. They can also apply for emergency benefits by visiting a CRA login page to use a different login method or to create a new CRA user ID and password.

Taxpayers should do the following to prevent unauthorized access and use of online CRA accounts:

Create a Personal Identification Number (PIN) in my account to confirm their identity on future calls with the CRA.
Sign-up for e-mail notifications, a service that informs Canadians by email if their address or direct deposit information has been changed to their CRA account.
Regularly monitor their account for suspicious activities such as address or direct deposit information, or for activities carried out on their behalf.
Ensure that their personal and business information is up-to-date.
Install software to remove all malware from computers and devices to keep user ID and password protected.