An internal audit revealed computer security at the Canada Revenue Agency (CRA) is still inadequately monitored years after hackers successfully breached taxpayers accounts on several occasions..According to Blacklock’s Reporter, the Agency keeps digital records of more than 27 million people and companies that file tax returns in Canada..“There was a lack of monitoring,” said the internal audit Security Assessment and Authorization. Auditors blamed “a lack of management oversight.”.“The Canada Revenue Agency has one of the largest information technology environments and repositories of personal and financial information in the Government of Canada,” wrote auditors. .“Ninety percent of income tax and benefit returns and 94% of corporate income tax returns were filed digitally.”.“It is essential for the Agency to meet Canadians’ expectations for delivering client service while maintaining trust that their information will be protected from potential data breaches and identity theft,” said the report..A 2014 cyberattack forced a six-day shutdown of the Agency’s website in tax season. Managers at the time confirmed hundreds of Social Insurance Numbers were stolen after Agency databases were corrupted by the Heartbleed Bug that bypassed encryption systems..Further investigations revealed the cyberattack went unnoticed for six hours before they finally shut down the systems..In 2020, there was another cyberattack that led to the unauthorized access of thousands of tax records. At that time, the managers promised to implement stricter security..“We have thousands of transactions every day,” Marc Brouillard, acting chief information officer, told reporters in 2020. .“Did these attacks not demonstrate there was a total failure?” asked a reporter. .“I would argue no, quite the opposite,” replied Brouillard..“The system worked. We were able to identify those fraudulent transactions.”.Even though there have been security breaches in the past, the most recent audit discovered security assessments are still an issue..“Security assessment is the ongoing process of evaluating security practices and controls to establish the extent to which they are implemented correctly, operating as intended and achieving the desired outcome with respect to meeting defined security requirements,” said Security Assessment..CRA managers “were not always aware of, or did not clearly understand, the security assessment and authorization process, more specifically for monitoring,” wrote auditors. Security was mandatory, they added..“Addressing security in the early stages of information technology projects and throughout the information system’s life cycle is vital to ensuring security is integrated into the design, that security objectives are met and that planning and resources are optimized,” said the report.
An internal audit revealed computer security at the Canada Revenue Agency (CRA) is still inadequately monitored years after hackers successfully breached taxpayers accounts on several occasions..According to Blacklock’s Reporter, the Agency keeps digital records of more than 27 million people and companies that file tax returns in Canada..“There was a lack of monitoring,” said the internal audit Security Assessment and Authorization. Auditors blamed “a lack of management oversight.”.“The Canada Revenue Agency has one of the largest information technology environments and repositories of personal and financial information in the Government of Canada,” wrote auditors. .“Ninety percent of income tax and benefit returns and 94% of corporate income tax returns were filed digitally.”.“It is essential for the Agency to meet Canadians’ expectations for delivering client service while maintaining trust that their information will be protected from potential data breaches and identity theft,” said the report..A 2014 cyberattack forced a six-day shutdown of the Agency’s website in tax season. Managers at the time confirmed hundreds of Social Insurance Numbers were stolen after Agency databases were corrupted by the Heartbleed Bug that bypassed encryption systems..Further investigations revealed the cyberattack went unnoticed for six hours before they finally shut down the systems..In 2020, there was another cyberattack that led to the unauthorized access of thousands of tax records. At that time, the managers promised to implement stricter security..“We have thousands of transactions every day,” Marc Brouillard, acting chief information officer, told reporters in 2020. .“Did these attacks not demonstrate there was a total failure?” asked a reporter. .“I would argue no, quite the opposite,” replied Brouillard..“The system worked. We were able to identify those fraudulent transactions.”.Even though there have been security breaches in the past, the most recent audit discovered security assessments are still an issue..“Security assessment is the ongoing process of evaluating security practices and controls to establish the extent to which they are implemented correctly, operating as intended and achieving the desired outcome with respect to meeting defined security requirements,” said Security Assessment..CRA managers “were not always aware of, or did not clearly understand, the security assessment and authorization process, more specifically for monitoring,” wrote auditors. Security was mandatory, they added..“Addressing security in the early stages of information technology projects and throughout the information system’s life cycle is vital to ensuring security is integrated into the design, that security objectives are met and that planning and resources are optimized,” said the report.
