Language selection


Key takeaways from the OPC’s investigation into the GCKey and CRA cyber-breach

March 28, 2024

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.

In this Bulletin:

Key takeaways from the OPC’s investigation into the GCKey and CRA cyber-breach

Federal government departments and agencies hold vast amounts of sensitive information, including the personal information of millions of Canadians, which make them attractive targets for cyberattacks. This is why it is essential to have robust safeguards in place to mitigate against privacy data breaches.

Here are some key takeaways from the Office of the Privacy Commissioner of Canada (OPC)’s investigation into the 2020 cyber breach of the Canada Revenue Agency (CRA) sign-in portal and Employment and Social Development Canada (ESDC)’s “GCKey” authentication service.

The investigation, which examined how attackers were able to infiltrate online services to access and modify individual accounts, offers important lessons for all departments and agencies.

  1. Ensure that privacy risks are thoroughly assessed and addressed for programs and services, especially when they involve sensitive personal information: It continues to be important that government departments carefully consider and assess the privacy implications of their activities to determine if and when privacy impact assessments (PIAs) are required. As part of a PIA, departments and agencies should assess where their systems might be vulnerable. Consider how bad actors might access or modify the personal information that they hold, what harms could result from that, and what safeguards may be employed to mitigate against those harms.
  2. Consider the risks from malicious modification or submission of false personal information (e.g. by an imposter): Bad actors may pretend to be somebody else to falsely apply for and divert government services or benefits. Taking reasonable steps to prevent malicious modification or false submission of personal information is required under subsection 6(2) of the Privacy Act, which seeks to ensure the accuracy of personal information.
  3. Determine the level of identity assurance that is needed and ensure that employees know how to assess it: Government call centres that provide general information may not need to know whether the person who they are speaking with is who they claim to be. In other cases, where personal information may be shared to access government services or benefits, employees must confirm individuals’ identity with a greater level of confidence. Being able to provide a social insurance number or employee number may not be enough of an assurance. Resources for identity assurance include Treasury Board of Canada Secretariat (TBSGuideline on Defining Authentication Requirements and Guideline on Identity Assurance. Departments and agencies should adopt practices aligned with internationally accepted standards for identity assurance in cases where moderate harm could result if the information is compromised. Multi-factor authentication, for example, will often ask a person to enter something they know, such as a password, and also to enter something they have like a one-time code sent to a phone number registered to the user.
  4. Conduct regular security assessments: Departments and agencies that handle significant amounts of sensitive personal information should conduct regular vulnerability assessments to identify gaps and weaknesses in security safeguards. If any are found, take prompt actions to address them. The Canadian Centre for Cyber Security (CCCS) provides advice on cybersecurity for GC institutions, including on protecting networks and sensitive information.
  5. Monitor to detect potential breaches early: By actively auditing logins for suspicious patterns, departments and agencies are better able to detect potential problems early. Departments and agencies must have an effective monitoring regime with strong coordination and communication channels in place.
  6. Be prepared to take immediate corrective actions: If a breach does occur, it is crucial that organizations act promptly to remedy the situation and prevent further harm to those affected. This ensures that safeguard enhancements and portal shutdown protocols are ready to deploy quickly if a threat is detected. Federal departments and agencies subject to the Privacy Act are required to report material privacy breaches to the OPC and to TBS after making efforts to contain, assess and mitigate the breach, and no later than seven days after the institution determines the breach is material.
  7. Build strong structures to avoid silos in information sharing and decision-making: For programs that involve multiple federal departments and agencies, all parties must be aware of the vulnerabilities of different parts of the system, current threats and potential harms. Decisions related to updating or modifying shared safeguards must be made with the knowledge and input of all accountable parties. Each party’s role and responsibilities when it comes to monitoring access to personal information, and identifying and reporting privacy breaches, should be clearly assigned.

The OPC’s Government Advisory Directorate is available to consult with federal government institutions on privacy-impactful programs and activities, and on the PIA process. Please email if you would like our help.

TBS’s Privacy and Data Protection Division is also available to consult with institutions and to advise on considerations across the TBS privacy policy suite, including the PIA process. You can reach them at

Further reading

Special report to Parliament: Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks – Special report to Parliament.

Nominations open for new privacy awards

The launch of the first-ever PICCASO Awards in Canada offers an opportunity to highlight positive privacy initiatives in many different sectors and industries across the country. These external awards include a category for public service excellence in “demonstrating cutting edge leadership/innovation in data and privacy.” You are invited to nominate yourselves or other organizations or individuals. The nomination period is open until April 7. While the OPC is not an organizer of this event, we support the recognition of excellence in the privacy sphere and we are sharing this information in case it may be of interest.

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Date modified: