Clearly the Canada Revenue Agency has a serious IT security problem as two days ago an unknown number of accounts were locked as a precaution. Though the CRA wouldn’t provide details. Now we have those details. Apparently around 100000 accounts were locked because leaked login info was found on the dark web. Which of course is not good:
If you received an unexpected and cryptic email on Feb. 16 from CRA warning you that your email had been deleted from the agency’s web platform, MyCRA, do not worry: your account has not been breached.
In fact, the agency says it means that their new early cyber security issue detection system is working (though the communication strategy will be reviewed and it “regrets the inconvenience.”)
But that also means your login data has probably been compromised through a third-party breach and you will need to contact CRA in order to regain access to your online account, particularly if you plan on filing your 2020 taxes online starting next week.
“To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure,” agency spokesperson Christopher Doody said in an emailed statement.
Steps on how to regain access to their online account will be sent to affected taxpayers by mail, he added.
I’m sorry, but this is a #fail on so many levels. First, simply sending an email out saying that your Canada Revenue Agency account has been locked is going to freak people out. That’s because the history of the Canada Revenue Agency when it comes to IT security quite frankly sucks as they have been repeatedly pwned by hackers. Thus if you get one of these emails, you are going to assume that hackers have pwned them again. It also doesn’t inspire confidence. I get that the Canada Revenue Agency was trying to act in the best interest of Canadians, but they way that they did it really isn’t fit for purpose. Hopefully they not only provide details about how these 100000 or so accounts were compromised, but they also rethink their communication strategy.