Consolidated Issue Sheets on the privacy breaches at the Canada Revenue Agency

Appearance before the Standing Committee on Access to Information, Privacy and Ethics

---

CRA Breach Reporting to OPC

Speaking Points

• In May 2024, the CRA submitted a breach report to my Office identifying 31,393 material privacy breaches.
• CRA advised my Office that these incidents, which they refer to as individual cases of “unauthorized use of taxpayer information by third parties” – or UUTPS – were detected between May 2020 and November 2023.
• On October 25, 2024, CRA submitted another breach report to my Office that included an additional other 3,232 UUTP material breaches, which they stated were detected between November 2023 and September 2024.
• These two reports are in addition to 33 UUTPS reported earlier this year.
• Although the high number is concerning, it is positive that the CRA is detecting and reporting these privacy breaches, and is following the recommendations made in the investigation report my Office published in February 2024.

Background

Breaches reported to the OPC by the CRA

FY	UUTP Incidents	Non UUTP Incidents	Total
2024-2025 (to Oct 31)	34,658	51	34,709
2023-24	0	71	71
2022-23	0	30	30

• On February 14, 2024, the OPC published the findings of its investigation into credential stuffing attacks at the CRA that occurred in the summer of 2020. CRA agreed to implement our recommendations, including incident-response processes to prevent, detect, contain, and mitigate future breaches.
• The CRA continues to advance the implementation of our recommendations and provides the OPC with regular updates on its progress.

OPC Investigation into CRA Privacy Breaches

Speaking Points

• Following a complaint about the breaches, on October 29 I announced the launch of an investigation into more than 31,000 privacy breaches at the Canada Revenue Agency, some dating back to 2020.
• In it, we will seek to assess whether the CRA met its obligations under the Privacy Act, as well as the adequacy of safeguards and breach-response processes.
• As the investigation is ongoing, I am limited as to what I can share at this time.

Background

• Federal institutions are required to report breaches to the OPC in accordance with TBS policies and directives. There is no requirement to do so under the Privacy Act.
• The OPC has held several meetings with the CRA to understand the nature of the breaches reported in May, to seek clarifications on CRA’s process to notify affected individuals and to find out more about its ongoing efforts to remediate and mitigate those breaches.
• After a breach is reported at an institution subject to the Privacy Act, we generally engage with the institution to inform our assessment of what steps are required, if any, to ensure compliance. In this instance, while the engagement was still ongoing, the receipt of a complaint resulted in an investigation into the matter.
• The February 2024 investigation report on the 2020 credential stuffing attack that occurred at the CRA also examined the Agency’s safeguards and breach response; however, the scope was limited to the credential stuffing.
• This new investigation will examine these same components but with a broader scope (i.e., other potential threat vectors that contributed to the breaches reported to the OPC in May by the CRA).
• Generally speaking, the OPC aims to complete investigations within reasonable timelines. This can be a challenge at times in light of an increasing number of complaints and limited resources to serve Canadians.

Section 241 of the Income Tax Act (ITA)

Speaking Points

• Section 241 of the ITA prohibits government officials from disclosing taxpayer information subject to limited exceptions, including for the purposes of an investigation under the Privacy Act.
• We do not believe section 241 of the ITA needs to be amended to authorize reporting privacy concerns to the OPC. The existing provision does not prevent government organizations from reporting privacy breaches to the OPC, as required by TBS policy.
• Breach reporting should include high-level information and not case-specific information or personal information.
• Section 241 would not preclude government officials from speaking about a privacy breach in general terms, such as describing when they learned of a breach or when they reported the breach to the OPC.

Background

• Under s. 241(10) of the Income Tax Act (ITA), taxpayer information is defined as information of any kind relating to a taxpayer obtained by or on behalf of the CRA’s Minister for the purposes of the ITA. However, the definition excludes information that does not reveal the identity of the taxpayer to whom it relates.
• The ITA’s definition of “taxpayer information” is distinct from the definition of personal information under the Privacy Act as it may include information about businesses and not only individuals.
• See TBS’s Policy on Privacy Protection, effective October 9, 2024. Government entities are required to report material breaches to the OPC and to TBS (s. 4.2.12).
• One of the exceptions to the prohibition on the disclosure of taxpayer information under s. 241 of the ITA is for information used for the purpose of conducting an investigation under the Privacy Act (paragraph 241(4)(e)(ix) ITA and s.34(2) PA).
• Under the Privacy Act, information can be disclosed without the consent of the affected individual when an Act of Parliament or a regulation authorizes disclosure (s. 8(2)(b)).

Employee Expectations of Privacy in Work Phones and Computers

Speaking Points

• I am aware of recent media reports that, in an effort to identify whistleblowers, the CRA has been examining its computers and systems to see who accessed certain files and for what reason.
• Individuals have a right to privacy at work, even if they are on their employer’s premises and/or using their employer’s devices, such as computers and mobile phones.
• My Office’s guidance on Privacy in the Workplace is clear that any employee monitoring must be limited to purposes that are specific, targeted and appropriate in the circumstances.
• Transparency about employee monitoring is also fundamental. Employers must make employees aware of the purpose, nature, extent and reasons for monitoring, as well as potential consequences for workers, unless there are exceptional circumstances at play.

Background

• On November 14, 2024, a CBC News story stated: “The Canada Revenue Agency is on a ‘witch hunt’ to find whistleblowers who may have spoken to the media […] The Fifth Estate/Radio-Canada has also been told that employees believe the CRA is going through computers to see who accessed what files and for what reason.”
• During NFFN’s meeting on November 19, 2024, the Minister of National Revenue, the Hon. Marie-Claude Bibeau, and CRA Commissioner Bob Hamilton each denied that CRA is conducting a “witch hunt”, although Commissioner Hamilton acknowledged that CRA is working to identify what happened and to make sure CRA employees behave properly going forward.
• During ETHI’s meeting on November 21, 2024, Minister Bibeau repeatedly took issue with the characterization of CRA employees speaking to the media as “whistleblowers”.
• During the same meeting on November 21, Commissioner Hamilton stated that CRA investigates conduct contrary to CRA’s code of ethics, and admitted that CRA is looking into how information got into the public domain. He further acknowledged that responses to behaviour contrary to CRA’s code of ethics can range from minor discipline to termination.

The Legality of Searching Employee Emails as a Disciplinary Matter

Speaking Points

• When a federal government institution becomes aware of an unauthorized disclosure to media by an employee, s. 4 of the Privacy Act may allow the institution to search employee emails to investigate.
• The investigation’s purpose may be to prevent further unauthorized disclosure or to investigate related issues such as harassment or fraud.
• The government institution may also be obliged under TBS policy to investigate if there is a risk that personal information was disclosed without authorization.
• The Privacy Act would not authorize a search of employee emails as an act of reprisal for making a protected dislosure of alleged wrongdoing under the Public Servants Disclosure Protection Act (PSDPA).
• The PSDPA sets out processes for public servants to make a protected disclosure of alleged wrongdoing, including confidentially reporting to the Public Sector Integrity Commissioner (s. 13). The PSDPA provides for public disclosure of wrongdoing in limited circumstances (s. 16).

Background

• See TBS Directive on Privacy Practices, Appendix B: Mandatory Procedures for Privacy Breaches, effective March 1, 2024.
• Federal government institutions must only collect personal information that relates directly to an operating program or activity (s. 4 PA). While they should normally collect information directly from the individual, they can do so indirectly if direct collection would defeat the purpose of collection (s. 5(3)(b) PA).
• Employers may then only use the information for the purpose for which it was collected, or a purpose consistent with that purpose, unless the employee consents to its use or a specific exemption under s. 8(2) PA applies.
• A public servant can confidentially disclose information they believe could show that a wrongdoing has been or is about to be committed, to their supervisor, a designated senior officer or to the Public Service Integrity Commissioner. Public Servants Disclosure Protection Act, S.C. 2005, c.46, ss.12 and 13.

2020 Credential Stuffing Investigation into CRA and ESDC (known as GCKey)

Speaking Points

• On February 14, 2024, I published the results of an investigation into the CRA’s and ESDC’s compliance with the Privacy Act related to attacks that had occurred in the summer of 2020.
• In this case, attackers used the credential stuffing attack vector to access the CRA’s online portal to create, and modify online, more than 34,000 taxpayers’ accounts.
• The investigation found that attackers exploited weaknesses in CRA’s identity authentication processes, and that CRA under-assessed the level of identity assurance warranted for online services. We also found that the CRA had not promptly detected or contained these breaches.
• The CRA agreed to implement our recommendations, which included implementing comprehensive incident-response processes and regular security assessments. The OPC continues to engage with the CRA on its progress to implement our recommendations.

Background

• This was a Commissioner Initiated Investigation against the CRA, Shared Services Canada and Employment and Social Development Canada. A small number of complaints were subsequently received against CRA and ESDC.
• Credential stuffing is where attackers use stolen credentials obtained from previous breaches at other organizations, to access existing online accounts. This attack technique leverages individuals’ tendency to reuse usernames and passwords.
• In contrast to the previous investigation, the new CRA investigation, announced on October 29, 2024, will examine security safeguards and their breach response processes in a broader context, taking into account other possible attack vectors (beyond credential stuffing) that may have caused breaches reported to the OPC on May 9^th (over 31,000) and October 25^th (over 3,200).
• At the end of this investigation CRA made us aware of 15,000 unreported breaches beyond the 34,000 that were part of the credential stuffing incident, which was noted in the GCKey report

CRA Announcement of GCKey Breach

Speaking Points

• The Treasury Board Secretariat informed Canadians about “credential stuffing” attacks on the GCKey service and CRA accounts by way of a statement from the Office of the Chief Information Officer on August 17, 2020.

Background

• The statement indicated that the Government of Canada was taking action in response to “credential stuffing” attacks mounted on the GCKey service and CRA accounts. These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.
• The government indicated that affected GCKey accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey.
• It also said that approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA. Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount.
• The government is continuing its investigation, as is the RCMP to determine if there have been any privacy breaches and if information was obtained from these accounts. As well, the OPC has been contacted and alerted to possible breaches.
• The OPC announced two investigations initiated by the Commissioner on October 13, 2020.

Response to Privacy Breach Order Paper Question

Speaking Points

• I am aware of CRA’s response to Order Paper Question Q-2954 where the Agency noted that it had reported, or was in the process of reporting, 7,046 material privacy breaches to my Office.
• CRA confirmed to my Office that all those breaches have now been reported to the OPC.
• The assessment of those breaches will be completed through the investigation I announced on October 29. As the investigation is ongoing, I cannot share more details at this time.

Background

• On November 4, OPC received a copy of the response to Order Paper Question Q-2954 which asked how many privacy breaches had occurred in federal government departments since March 1, 2023. Relevant to the present issue, CRA reported the following:
  • Part (a): The CRA had 9,068 privacy breaches (impacting a total of 256,978 individuals), of which:

• • • 492 were due to security incidents (theft and loss of information, accidental disclosure, etc.) (5.4%)
    • 1,513 were due to misdirected mail (16.7%)
    • 101 were due to employee misconduct (e.g., unauthorized access or unauthorized disclosure) (1.1%)
    • 6,908 were due to UUTP affecting individual accounts (76.2%)
    • 52 were due to UUTP affecting business accounts (0.6%)
    • 2 were discovered following complaints from individuals or the Office of the Privacy Commissioner of Canada (OPC) (0.02%).
  • Part (b)(vii): The CRA reports all material privacy breaches to the OPC and TBS in accordance with the mandatory reporting requirement in the TBS Policy on Privacy Protection. Based on TBS policy requirements, 7,046 privacy breaches (77.7%) were, or are in the process of, being reported to the OPC and TBS between March 1, 2023, to September 16, 2024.

H&R Block

Speaking Points

• In April 2024, H&R Block reached out to inform my Office that it was investigating anonymous allegations of a potential privacy breach.
• H&R Block later stated that its investigation could not substantiate the allegations, and as such it did not submit a breach report to my Office.
• I am aware of media reports indicating that the CRA had identified in the early spring of 2024 a fraud scheme whereby fraudsters used H&R Block credentials to take over taxpayers accounts. However, I have not received a complaint regarding H&R Block on this matter nor have I received any information regarding H&R Block’s alleged role in CRA-related breaches.
• On October 29, 2024, after receiving a complaint against the CRA, I launched an investigation into the Agency. The investigation relates to cyberattacks that led to more than 31,000 privacy breaches at the Agency, some dating back to 2020.
• During the course of the investigation my Office may reach out to third parties, including H&R Block, as needed.

Background

• In July 2024, in response to the OPC’s questions, H&R Block detailed the extent of its investigation and its conclusion that no personal information had been compromised. It made no reference to potentially compromised credentials.
• Based on H&R Block representations to the OPC, we accepted there was no privacy breach and proceeded to close our file.
• (Redacted)
• The investigation into CRA breaches, launched on October 29th, aims to shed light on possible causes.

Breach Reporting Stats/Trends

Speaking Points

• Over the past year, my Office saw a 28% increase in breach reports from the federal public and private sectors over the previous year.
• In the private sector, while the number of reported incidents grew to some extent, the number of individuals affected by privacy breaches reported to my Office actually more than doubled, rising from 12 to approximately 25 million Canadian accounts affected.
• Despite these increases, my Office remains concerned that privacy breaches may be going undetected, mis-assessed, and ultimately unreported, particularly by federal institutions and as relates to cyber incidents. Only a handful of them report such incidents.
• While almost half (46%) of reports from the private sector received in 2023-24 cited cyberattacks, only 7% of public sector reports cited cyber incidents as the source of the breach.
• While the CRA reported over 30,000 breaches to the OPC so far this fiscal year, many if not most of those incidents were detected in prior years, demonstrating serious delays in reporting.

Background

Breach reports received by the OPC

Dates	PIPEDA	PA	Total	Breaches related to cyber incidents (Public sector)
2024-25 (to October 31st)	412	413*	825	6 (1.4%)
2023-24	693	561	1,254	37 (6.6%)
2022-23	681	298	979	1 (0.3%)

*Does not include CRA breaches reported on May 9 (31,393) and Oct 25 (3,232).

• Note that all cyber breaches involving unauthorized use of taxpayer information by third parties reported by the CRA were counted as one breach incident.
• Of the 6.6% breaches reported in 2023-24 related to cyber incidents, 33 of the 37 incidents were related to the BGRS breach. Counting this as one incident, 4 (0.7%) breaches were related to cyber incidents

TBS Breach Reporting Requirements

Speaking Points

• While there are privacy breach reporting requirements for both the federal public and private sectors, it is only required by law under PIPEDA. I have recommended that breach reporting obligations become a legislative requirement under the Privacy Act.
• Section 4.2.12 of the TBS Policy on Privacy Protection requires federal government institutions to report material privacy breaches to TBS and the OPC no later than seven days after the institution determines that a breach is material.
  • Appendix A of the TBS Policy defines a material breach as one that can reasonably be expected to create a real risk of significant harm (RROSH) to an individual.
• During the OPC’s investigation into the 2020 credential stuffing attacks at the CRA and ESDC, we learned that some breaches had taken place at the CRA (up to 15,000) which had not been reported to the OPC; I noted this fact in a Special Report to Parliament on that investigation that was tabled in February 2024.
• As part of our follow-ups with the CRA to monitor its implementation of the recommendations issued in that report, on May 9^th, 2024, the OPC received a breach report from the Agency that included over 31,000 privacy breach incidents, with some dating back to 2020.

Background

• Generally speaking, the OPC is concerned that, too often, breaches are going undetected or are being mis-assessed, leading to under-reporting of privacy breaches in the public sector.
• The OPC also continues to see an important gap between the public and private sectors’ reporting of cyber incidents. In 2023–2024, the OPC received 321 reports of cyber incidents from the private sector, and only 37 from federal institutions, 33 of which related to a breach at a government service provider (BGRS).

OPC Response to Breach Reports

Speaking Points

• All breach reports submitted to my Office are reviewed and assessed. Breaches that present higher risks will receive greater scrutiny and follow-on engagement.
• Reports are first reviewed to examine whether breaches have been contained. They are then assessed to determine if the RROSH reporting threshold is met, whether affected individuals have been properly notified, and what further analysis may be required to determine next steps.
• Depending on outcomes, the OPC may:
  • Close a breach file if the breach presented low risks and the reporting organization has taken appropriate actions to i) contain the breach, ii) notify affected individuals and/or iii) prevent the reoccurrence of an incident;
  • Seek clarifications from the reporting organization, and/or provide guidance;
  • Make informal recommendations with respect to breach containment, notification of affected individuals, measures to prevent further breaches; or
  • Launch a formal investigation.

Background

• Assessing the Real Risk of Significant Harm (RROSH) includes an assessment of: (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being or will be misused.
• The OPC developed a science-based risk tool to assess RROSH. While aiming to release a public version of this tool by the end of this fiscal year, it is currently used by the OPC’s Breach Response Unit to assist in determining the level of analysis required for each breach report. Breaches with lower RROSH scores present lesser risks and require less analysis and OPC engagement with reporting organization.
• In the last 5 years, 9 Commissioner-initiated investigations were launched into breaches that were reported to the OPC; CRA being the latest one.

OPC Annual Report

Speaking Points

• In accordance with section 38 of the Privacy Act, the Privacy Commissioner is required to submit within 3 months after the end of each fiscal year an annual report to Parliament on the activities of the office during that fiscal year.
• The OPC’s most recent Annual Report to Parliament was tabled on June 6^th, 2024 and captured the Office’s 2023-2024 activities, including the number of breaches that were received and closed from April 1^st, 2023 to March 31^st, 2024.
• The CRA submitted a breach report to the OPC on May 9^th, 2024, relating to over 31,000 material privacy breach incidents, with some dating back to 2020. It submitted another report on October 25^th, 2024 that included over 3,200 additional breaches. The CRA confirmed that the latter were also material breach that took place between November 2023 and September 2024.
• Any breach report received by the OPC on or after April 1^st, 2024 will be reported in the Office’s 2025 Annual Report to Parliament in accordance with Section 38 of the Privacy Act.

Background

• On October 28, 2024, The Fifth Estate/Radio-Canada reported that the CRA admitted it had been hit with more than 31,468 “material” privacy breaches from March 2020 to December 2023, affecting 62,000 individual Canadian taxpayers.
• The article noted that the OPC defended the decision to leave the massive increase in privacy breaches out of its June 2024 report to MPs, justifying the decision by saying the CRA sent the information after the March 2024 reporting period.
• The numbers reported in the media (31,468) were provided by TBS and differ from those reported to the OPC (31,393) by the CRA in its May 9^th breach report.
• In the last two annual reports, we reported having received respectively 71 (2023-24) and 30 (2022-23) breaches from the CRA. For both years, CRA was second in terms of the highest number of breaches reported to the OPC by a federal government institution. ESDC was first with 377 and 196 respectively.

PIAs/Consultations with CRA on Fraud Detection Measures

Speaking Points

• The CRA had been responsive and proactive in its development of PIAs and continues to hold regular discussions with my office.
• Since the beginning of 2024 my office has received 4 PIAs from the CRA on programs involving taxpayer identification, suspicious activity identification and fraud investigations.
• In response to these PIAs, my office has made a number of recommendations touching on accountability, effectiveness, limiting collection, use, retention and disclosure, notification and consent and automated decision making.
  • Of the 12 recommendations made in these PIAs, the CRA has agreed to 9 of them. Remaining recommendations touched on lack of clarity in the PIAs.
• OPC recommendations are non-binding and it is ultimately up to the institution to determine if or how they will be implemented.

Background

• Fraud is identified via a number of programs – the Authentication and Credential Management Program and the GST-HST Audit and Examination Program as well as through anonymous tips via the Individual Protection Services. The most egregious cases of tax evasion and tax fraud are handled by the CRA’s Criminal Investigations program.
• The PIA for the Criminal Investigations program was most recently updated in February 2024. CRA accepted recommendations related to ensuring privacy training of employees and transparent privacy notices, as well as implementing clear guidance documentation for investigators. However, the CRA did not provide sufficient clarity regarding how they retain personal information collected for investigations.
• Recent focus of CRA consultations and PIAs has been on programs to prevent and detect breach and limit improper access of taxpayer information by employees rather than external parties.

Privacy Act Reform – breach notification

Speaking Points

• The Privacy Act is fundamentally unchanged since coming into force over 40 years ago.
• In 2020, the Department of Justice published a consultation paper proposing a range of reforms to the Privacy Act, including a breach record-keeping requirement, and a requirement to notify my Office and affected individuals where there is a risk of significant harm.
• The OPC’s submission recommended more prescriptive wording on timeliness for reporting, proposing that breaches be reported without unreasonable delay and no later than seven calendar days after the institution becomes aware of the breach rather than ‘as soon as practically possible’ as proposed by Justice.
• Clear, short timelines would allow for an effective response by my Office and provide certainty to institutions about legal requirements.

Background

• Justice’s consultation paper proposed that there be obligations for federal public bodies to minimize and mitigate impacts of material breaches and to notify the Privacy Commissioner and affected individuals where there is a risk of significant harm to an individual. The notification obligation would arise as soon as practically possible after making efforts to contain and assess the breach.
• The OPC made a submission in March 2021 in which we recommended the following pertaining to breach reporting obligations:
  • OPC be provided with access to all reports prepared by or for institutions about the cause of a breach and related lessons learned.
  • OPC be notified without unreasonable delay, and no later than seven calendar days, after the institution becomes aware of the breach.
  • To be consistent with PIPEDA/the CPPA the threshold for reporting should be when there is a ‘real risk of significant harm’ to individuals.
• The most recent update from the Department of Justice since the launch of the consultation was the publication of a “what we heard” report in August 2021 and a report on 2022 engagement with Indigenous Peoples published in October 2023.

2022 Class Action re Privacy Breaches

Speaking Points

• In 2020, there was a significant data breach affecting online accounts managed by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC).
• The breach compromised the data of over 45,000 people, and thousands of accounts affected by the breach were used to fraudulently apply for government benefits relating to the COVID-19 pandemic.
  • I published the results of my investigation into the breach on February 14, 2024.
• A class action lawsuit was initiated in 2020 in response to the breach. In 2022, this lawsuit was certified by a Federal Court judge.

Background

• In Sweet v. Canada, 2022 FC 1228, Justice Southcott of the Federal Court certified the action as a class proceeding under Rule 334.16 of the Federal Courts Rules.
• The class representative, Todd Sweet, alleges that in 2020 he discovered that his direct deposit information in the Canada Revenue Agency’s “My Account” portal had been changed and an unknown and unauthorized individual had used his account to make four applications for COVID-19 benefits.
• The government accounts were the subject of a credential stuffing attack by a threat actor. There is evidence that 48,110 CRA accounts were impacted, and 12,700 of those accounts were used for fraud. There is also evidence that 5,957 ESDC accounts were affected, with 1,200 of those accounts used to apply for COVID-19 benefits.
• The compromised accounts contained personal and financial information including financial records, notices of assessment, and information about account holders’ disabilities, children and immigration status. 
• The issues certified as common questions of law or fact relate to systemic negligence, intrusion upon seclusion and breach of confidence.
• The class includes persons who had their personal and financial information from a government online account disclosed to a third party without authorization between March 1, 2020, and December 31, 2020, subject to certain exclusions.

ETHI Report on Federal Government’s Use of Digital Forensic Tools

Speaking Points

• I welcome the committee’s recent report on its study into the federal government’s use of technological tools capable of extracting personal data from mobile devices and computers, upon which I appeared in February.
• I note that the report supports the need for a number of critical measures that I have advocated for, including:
  • amending the preamble of the Privacy Act to indicate that privacy is a fundamental right; and
  • granting my Office the power to make recommendations and issue orders when I find violations of the Privacy Act.
• The rising threat and severity of cyberbreaches highlights the broader relevance of those recommendations to ensuring that Canadians’ personal information is adequately protected.

Background

• ETHI launched its study in response to news reports in November 2023 indicating that at least 13 federal departments and agencies were using tools capable of extracting personal data from mobile phones or computers, and that the use of that technology had not undergone a privacy impact assessment.
• ETHI presented its report to the House on October 10, 2024.
• ETHI’s report echoed many of the recommendations the Commissioner made during his February appearance. OPC issued a statement following the report’s publication, welcoming the recommendations of the committee.
• ETHI has recommended that the PA be amended to grant the OPC order-making powers in three other reports since 2022: (1) Collection and Use of Mobility Data by the Government of Canada and Related Issues; (2) Facial Recognition Technology and the Growing Power of Artificial Intelligence; and (3) Device Investigative Tools Used By The Royal Canadian Mounted Police And Related Issues.
• ETHI also previously recommended that the preamble of the PA be amended to indicate that privacy is a fundamental right in its report on Device Investigative Tools Used By The Royal Canadian Mounted Police And Related Issues.

Cyber Security

Speaking Points

• Cyber security is a foundational component in securing private and sensitive data from unauthorized access and disclosure.
• In the context of the Government of Canada, guidance and direction for cyber security is the responsibility of the Canadian Centre for Cyber Security, Shared Services Canada, and the Treasury Board Secreteriat. These three Departments are also responsible to monitor, detect and respond to issues with the GC’s core IT infrastructure.
• Departments are responsible for the security of applications that fall under their specific mandate and the data that they process.
• Privacy principles and best practices, in addition to an understanding of a given organization’s risks and vulnerabilities, should guide cyber security decisions and frameworks. Mitigating unnecessary data collection and maintaining proper controls are best accomplished by integrating privacy principles from concept to action.

Background

• The CRA breach of 2020 allowed hackers to access government services and redirect payments to themselves. Both the initial access vector (credential re-use, also known as credential stuffing) and the end results (unauthorized redirection of funds) appear to be the same in this breach.
• Threat actors use well-known communication channels to share compromised data – such as hacker forums on the Internet and Telegram group chats. Monitoring these channels can give organizations a head-start in mitigating or preventing cyber attack campaigns.
• Having departments leverage Multi-Factor Authentication and encouraging users to use password manager software to securely create strong, random passwords for each application they log-in to are ways to mitigate the risks of credential reuse.
• While Shared Services Canada is the provider of some enterprise applications and services as enabled through s. 8 of the Shared Services Act and its mandate defined via Order in Council 2015-1071, departments are responsible for the security of applications that fall under their specific mandate and the data that they process.

Engaging the RCMP

Speaking Points

• Criminal activity related to data breaches falls outside of the parameters of the Privacy Act and is therefore not part of my mandate.
• It is the responsibility of federal institutions that suspect or identify such criminal activity to report it to law enforcement agencies where required.
• The CRA has confirmed to my Office that it does refer cases of potential criminal activity to law enforcement, where appropriate.
• In the event that my Office became aware of or concerned about criminal activity during an active investigation, we would consider how to address it in consideration of all legal obligations.
• My Office would cooperate with any criminal investigation within the confines of what we are able to share related to an ongoing investigation.

Background

• During the committee’s meetings on November 21 and November 26, MP Adam Chambers asked questions relating to whether any of the breaches had been referred to the RCMP. During its appearance at ETHI, CRA explained that it has a Criminal Investigations group that is tasked with addressing files that include a criminal element, and that this team works in close collaboration with police authorities, and refers files to them, as required.
• In their breach reports (in the section related to “Notification to other organizations”), the CRA indicates that it “reviews each incident where personal information has been compromised and refers any case of potential criminal activity to law enforcement, where appropriate.”
• We are aware from other Privacy Act investigations of instances wherein the CRA has reported criminal matters to the RCMP for investigation. The CRA otherwise would not share details or updates of the RCMP’s investigation or their related engagements, and to date we have not found it necessary to reach out to the RCMP to advance our own investigation.
• Under section 64(2) of the Privacy Act, the Commissioner has the discretion to disclose information to the Attorney General of Canada if there is evidence that an offence has been committed by a government director, officer or employee.

Funding for Breaches

Speaking Points

• Since the introduction of mandatory breach reporting, the volume and complexity of breaches reported to the OPC has grown exponentially.
• Canadians expect that the OPC will assess a reported breach to address security safeguard risks, and mitigate damages and breach recurrence.
• Budget 2023 provided $5.7 million over two years to address investigations backlog and to enable the OPC to conduct in-depth reviews of a greater number of privacy breach reports.
• This temporary funding has enabled real headway on these priorities, but we will need a more permanent solution if we are to address the full volume and complexity of privacy issues in today’s digital environment.
• That is why, at a minimum, the temporary breach and backlog funding of $5.7 million should be made permanent.

Background

• Privacy breach reporting to the OPC for the federal public sector became mandatory in May 2014 through TBS policy instruments. Privacy breach reporting under PIPEDA came into force in November 2018.
• Prior to fiscal year 2018-19, the OPC received on average approximately 220 privacy breach reports per fiscal year from public and private sector entities combined. In the last five fiscal years the OPC received 1,019, 1,062, 1,108, 979, and 1,254 breach reports respectively, a fivefold increase on average.
• Budget 2023 provided an additional $5.7M over two years for the office to deal with a growing number of reported privacy breaches and the complaints backlog:

  2023-24	2024-25
  2.84M	2.84M

• This funding was meant as a stop-gap measure pending privacy law reform to fulfil privacy breach oversight responsibilities and to conduct timely investigations into complaints from the public.

Consent for Information Sharing by Third Party Tax Filing Platforms

Speaking Points

• Without close examination, I cannot speak to any specific disclosure arrangements connected with any particular commercial service.
• PIPEDA stipulates that express consent should generally be obtained when the information is likely to be considered sensitive (which would be the case with financial information).
• My Office’s guidance on obtaining meaningful consent is clear that for consent to be considered meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.
• Use of inaccessible language, such as complex and confusing language, often within highly technical and excessively long privacy policies or terms of service, is a common deceptive design practice. Such practices are used to influence individuals into making privacy decisions that might not be in their best interests.

Background

• During his November 26, 2024 appearance before ETHI, Professor André Lareau of Laval U. stated that taxpayers who use third party tax filing platforms, like those provided by H&R Block, are typically required by those platforms’ terms of service to agree to the sharing of their personal information with companies such as Meta and Google, including the sharing of information outside Canada. Taxpayers are deemed to accept those terms by using the platforms. He recommended that such platforms be prohibited from sharing taxpayers’ information with other parties.
• Principle 4.3.6 of PIPEDA provides: “An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.”
• In the OPC’s July 2024 sweep report on deceptive design practices, we reported that of the 145 websites and apps examined 96% had privacy policies that were either excessive in length or used technical and confusing language, making them difficult to read and understand. 
• The October 2024 FPT Resolution Identifying and mitigating harms from privacy-related deceptive design patterns calls on organizations to promote transparency when collecting personal information by using clear and simple language.

CRA Fraudsters Exploiting Pixels

Speaking Points

• The investigation into the breaches at the CRA will assess compliance with the provisions of the Privacy Act, including safeguards to protect against unauthorized access to and modification of personal information.
• My Office will examine the vectors of attack and vulnerabilities that bad actors exploited to gain access to, or to create taxpayers’ accounts.
• While it is possible that potential vulnerabilities may exist in various areas of the process used to access CRA’s systems, my Office has not been made aware of issues related to pixels captured through Meta or Google.
• The scope of an investigation can be expanded while it is underway if we identify other relevant matters of concern.

Background

• At ETHI’s meeting on November 26, Professor Lareau expressed concerns that ImpôtExpert facilitated the transfer of their client’s personal information to Google and Meta.
• We have not received any complaint in this regard nor had we heard of concerns regarding ImpôtExpert specifically.
• ImpôtExpert is a tax compliance software sold online and through retail outlets.
• ImpôtExpert is owned by Thomson Reuters, and its privacy statement describes a vast amount of personal information that is collected including usage, device and browser information, location data, biometric data. It further describes how it and its third-party business partners (such as social media networks) may use tracking technologies including web beacons, tags and pixels. According to the statement, users can opt-out of or control tracker settings.

Terms of Service used by Third-Party Tax Filing Platforms

Speaking Points

• My Office has taken note of the testimony before this committee regarding Terms of Service used by third-party tax filing platforms with respect to sharing of personal information.
• Third-party tax filing companies are subject to Canadian privacy law. While PIPEDA does not directly speak to Terms of Service, it does stipulate that express consent should generally be obtained when the information is likely to be considered sensitive, which would be the case with most tax information.
• Organizations must inform individuals of their privacy practices in a comprehensive and understandable manner. Transparency is important to ensure meaningful consent.
• Use of inaccessible language, such as complex and confusing language, often within highly technical and excessively long privacy policies or terms of service, is a common deceptive design practice. Such practices are used to influence individuals into making privacy decisions that might not be in their best interests.

Background

• The H&R Block (Canada) online privacy policy indicates that the collection, use and disclosure of personal information is limited to what is “necessary to fulfil the product and service purposes” and that the use of cookies and other tracking technologies (e.g., web beacons) are used only to enhance the customer’s online experience.

US Congressional Investigation into “Attacks on Tax Privacy” (2023)

Speaking Points

• Taxpayer information demands the highest level of protection given its sensitivity and the importance of public confidence in the tax system.
• In the United States, a 2023 congressional investigation found that major tax-preparation companies, including H&R Block, were disclosing taxpayer information to Meta and Google without valid consent.
• A recent audit report by the US Treasury Inspector General for Tax Administration also found that four unnamed tax-preparation companies had failed to comply with regulatory requirements to clearly inform taxpayers of the purpose and use of disclosed tax-return information.
• That report also concluded that the full scope of tax information disclosed to third parties through the websites of tax-preparation companies is unknown to the Internal Revenue Service.

Background

• In November 2022, the US news publisher The Markup reported that major tax-filing services had been transmitting sensitive taxpayer information to Meta and Google for years. In the wake of these revelations, a group of Democratic lawmakers opened an investigation into the extent of the disclosures.
• The resulting July 2023 report found that tax-preparation companies including TaxAct, TaxSlayer, and H&R Block had shared millions of taxpayers’ tax-return information with Meta and Google by way of “tracking pixels,” or code developed by the technology companies and then inserted by other businesses into their own websites to improve user tracking and targeting.
• The report concluded that the companies were “shockingly” reckless in enabling Meta and Google’s tracking tools on their websites without fully understanding how taxpayer data would be shared; that they appeared to act with “stunning disregard” for taxpayer privacy in failing to inform users of how their data would be collected and used; and that they may have violated taxpayer privacy laws as a result.
• In October 2024, the lawmakers behind the report reiterated their calls for the Department of Justice to investigate after a September 2024 audit report by the Treasury Inspector General for Tax Administration found that four unnamed tax-preparation companies had shared consumer data without obtaining valid consent.

Does US Law permit Third Party Tax Filing Services to Share User Information?

Speaking Points

• In the US, the Internal Revenue Code explicitly prohibits tax preparers from disclosing tax return information for purposes not related to the preparation of a tax return, subject to limited exceptions.
• While there is no similar provision in Canada’s Income Tax Act, PIPEDA prohibits private-sector organizations from disclosing personal information for purposes other than the purposes for which it was collected, except with consent or required by law.
• Companies must ensure that they adhere to Canadian privacy law. Express consent should generally be obtained when the information is likely to be considered sensitive (e.g. financial information).
• For consent to be considered meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner.

Background

• The OPC has not examined the information-sharing practices of tax-filing services in Canada and are therefore not in a position to comment.
• In the US, § 7216 of the Internal Revenue Code is a criminal provision that prohibits tax return preparers from knowingly or recklessly disclosing or using tax return information for a purpose other than preparing, or assisting in preparing, the return.
• There are exceptions to this prohibition set out in Treasury Regulations §301.7216–2-3 (e.g. disclosure of information for the purposes of obtaining legal advice, or if consent is given to provide the information to another preparer).
• The fair information principles in the Personal Information and Protection of Electronic Documents Act (PIPEDA) require private sector organizations to limit disclosure of information to the purposes for which it was collected (Principle 5).
• A 2023 report by several US Senators stated that some tax preparation companies had admitted to using tracking pixels from Google and Meta, as well as other companies, which sent personal data to those companies. The report said that this could constitute a violation of US law.

CRA meeting their commitments following recommendations in the GCKey report?

Speaking Points

• On February 14, 2024, I published the results of an investigation into the CRA’s and ESDC’s compliance with the Privacy Act related to credential stuffing attacks that had occurred in the summer of 2020.
• Since the attacks in 2020, the CRA has been improving its online and phone authentication processes for the public to access their CRA accounts.
• In my investigation report, I had made five recommendations to the Agency, including that they:
  • improve communications and decision-making frameworks to facilitate a rapid response to attacks; and
  • develop comprehensive incident-response processes to prevent, detect, contain, and mitigate future breaches, including by conducting regular security assessments.
• The OPC has been monitoring CRA’s implementation of these recommendations by reviewing plans and submissions and following up regularly with the CRA to gauge progress.
• We are satisfied that the Agency is on track to complete its implementation of the OPC recommendations by February 2025.

Background

• Two of the recommendations were to be implemented within 6 months and two others within 12 months. The last one called for annual/bi-annual security assessments to be undertaken.
• The OPC has been monitoring CRA’s implementation of recommendations stemming from this and another related investigation. CRA’s last update, received on October 18, 2024, indicates that the Agency is on track to complete its implementation of the OPC recommendations by February 2025.

What do you expect CRA to be doing, and are you satisfied with what they are doing?

Speaking Points

• First and foremost, I expect institutions to contain breaches by identifying their cause(s) and implementing measures to address them.
• I also expect institutions to notify affected individuals in a timely manner after the breach occurrence.
• Similarly, I expect institutions to notify and collaborate with my Office when a breach is assessed as posing a real risk of significant harm to affected individuals.
• Generally speaking, I am satisfied that the CRA is taking measures to further detect and address breaches, notably by implementing the recommendations issued in my February 2024 Special Report to Parliament.

Background

• CRA agreed to implement the five recommendations issued to it in the February 2024 report, including an incident-response processes to prevent, detect, contain, and mitigate future breaches. Two of the recommendations were to be implemented within 6 months and two others within 12 months. The last one called for annual/bi-annual security assessments to be done.
• The above recommendations were issued to both the CRA and ESDC. A sixth recommendation was issued to ESDC only.
• The CRA is still in the process of implementing our recommendations and expected to have them all implemented by February 2025. The CRA provides the OPC with regular updates on its progress.

What should Canadians impacted by this breach do?

Speaking Points

• Canadians should take notifications of breaches seriously. Notifications issued by institutions should include information on what affected individuals can do to reduce the risks related to a breach.
• Canadians affected by a breach should consider changing passwords and taking advantage of additional safeguards that are offered to them before or after a breach, such as multi-factor authentication or credit monitoring.
• Additionally, they should monitor their compromised accounts for suspicious activity and quickly report any such activity to the responsible institution or organization.
• Finally, Canadians should remain vigilant given that their compromised personal information may not be misused right away by threat actors.

Background

• The OPC’s website provides advice to individuals who receive a privacy breach notification on how to reduce the risk of identity theft. One of the main recommendations is to change passwords.
• Given that threat actors will sometime perform credential stuffing, including re-using compromised passwords, it is highly recommended that individuals do not repeat the same password on various platforms and that they change them regularly.
• Is it also useful for individuals to keep their contact information up-to-date since the organization who has suffered the breach will try to contact them by various means (phone, email, mail) to advise them that their information has been compromised.

Results of engagement/discussions with the CRA since earlier this year

Speaking Points

• CRA has indicated to the OPC that it has implemented various security tools (e.g. multifactor authentication) to limit unauthorized access to taxpayers’ accounts. CRA also represents to the OPC that they are constantly adapting to deal with new threats.
• CRA has noted having challenges notifying affected individuals given that they first have to authenticate Canadians that they are attempting to notify to ensure that they are not reaching a fraudster.
• Some affected taxpayers are also difficult to reach as they have not kept their contact information current in their profile or have not responded to CRA requests to call them back.
• CRA has confirmed that it is in the process of implementing all the recommendations from the February 2024 report and that it is developing processes to improve its tracking and reporting of privacy breaches related to unauthorized access of taxpayer accounts.

Background

• Since May, the OPC has had monthly standing meetings with the CRA to better understand CRA’s breach response processes in general, including its process to notify affected individuals.
• These meetings also focused on understanding the nature and causes of the 31,000+ breaches reported on May 9th, CRA’s remedial measures to address these breaches, and its efforts to notify affected individuals.
• So far, our discussions with the CRA have helped us understand their challenges in timely reporting breaches and related efforts to improve its breach handling and reporting processes.
• While the CRA maintained it had notified or attempted to notify all 31,000+ affected individuals, the OPC has outstanding questions in this regard, including the timeliness of affected individuals being notified.

Difference between 31,000 breaches (fraud) and credential-stuffing breaches (GCKey report)?

Speaking Points

• The credential stuffing incident that occurred in the summer of 2020 was a single breach that affected many individuals. All breached accounts were related to the same root cause.
• The 31,000 breaches reported to the OPC in May 2024 are the result of individual attacks on other individuals’ accounts with no root-cause identified. They are separate from the credential stuffing attack that was already investigated.
• These additional 31,000 breaches may or may not be the result of credential stuffing attacks. These include the 15,000 CERB related incidents of which we learned at the end of the February 2024 investigation.

Background

• The 31,393 UUTP breaches reported to the OPC on May 9, 2024, are not all the result of credential stuffing:
  • They include other forms of unauthorized access to taxpayer accounts through CRA’s online portals or the CRA call center.
  • For example, some callers may have impersonated a taxpayer by calling the call center to request an account password changed. The latter is not credential stuffing.
• The 31,393 reported incidents took place between May 2020 and November 2023.

Auditor General’s Report 10 (2022)

Speaking Points

• In the 2022 report regarding COVID-19 benefits, the Auditor General flagged that the CRA had identified more than 23,000 cases of identity theft relating to COVID-19 benefit payments. While these are not explictly identified as privacy breaches in the report, CRA has recently confirmed to my Office that they were.
• That said, disclosing cases of fraud to the Auditor General does not replace an institution’s obligation to report material privacy breaches to the OPC and to TBS, as per TBS policy requirements. CRA did not report the breaches outlined in the OAG’s report to my office until this year.
• The CRA has recently indicated to my Office that the 23,000 cases referenced in the OAG report are part of the breach report it submitted on May 9, 2024, to the OPC, which referenced 31,393 breach incidents.
• Having announced on October 29, 2024, the launch of an investigation into the matter, my Office will pursue related issues in the context of this investigation. I cannot share more details at this time.

Background

• Paragraph 10.116 of the Auditor General’s Report 10 states: “As of July 2022, the agency identified more than 23,000 cases of identity theft in COVID‑19 benefit payments for individuals worth $131 million.”
• The Auditor General’s Report covers the period of March 15, 2020 to September 30, 2022. This is a different, shorter, time period than that of the May 9 report that included 31,393 privacy breaches (May 2020 to November 2023). Also, the OAG was focused on fraud payments and not privacy breaches.
• Given that the 23,000 cases of identity theft reported to the OAG had already been identified by the CRA in 2022 and found to be material in nature, they should have been reported to the OPC and TBS at the time in accordance with the TBS directive.

OPC Recommendations re Hypothetical CRA Tax Filing Platform

Speaking Points

• TBS policy requires government institutions to notify both TBS and my Office of any planned initiatives that could relate to the Privacy Act, or that have an impact on privacy.
• To date, the CRA has not approached my office for a consultation, nor submitted a PIA, on a potential tax filing platorm.
• Should the CRA contemplate such an initiative, my Office can provide advice and guidance on how they can do so, while meeting their legal and policy requirements, as well as incorporating best practices.
• Without knowing details of a potential platform, I cannot provide detailed recommendations. However, I would expect to see clear and explicit privacy notices to individuals, limiting secondary disclosures of the personal information collected unless with the consent of the individual, limiting access to personal information and ensuring Information Sharing Agreements are in place where sharing may lawfully take place.
• Additionally, the CRA would have to take steps to ensure there is strong safeguarding of the personal information at all times.

Background

• Section 4.2.2 of the Policy on Privacy Protection requires institutions to notify TBS and the OPC of initiatives that could relate to the Act or impact privacy.
• Privacy notices must meet the requirements set out by TBS in section 4.2.20 of the Directive on Privacy Practices.
• Consent for use of personal information for purposes not consistent for the purpose for which the information was originally obtained is required by TBS in section 4.2.22.2 of the Directive on Privacy Practices.
• Institutions are required to limit access to personal information per section 4.2.30 of the TBS Directive on Privacy Practices
• Information Sharing Agreements must meet the requirements of section 4.3.34 of the Directive on Privacy Practices.

Privacy Considerations with a CRA Tax Filing Platform

Speaking Points

• I am aware that Professor Lareau recommended to this committee that CRA develop its own tax filing platform in order to mitigate privacy concerns associated with third party platforms.
• I believe that a solution developed by the CRA could help ensure that taxpayers’ personal information and financial data remain under the CRA's control. This would significantly reduce the risk of third-party vendors sharing private data for other purposes.
• Using a CRA solution would also mitigate risks of private data being stored on servers in other countries. Third-party vendors often operate globally, which can subject taxpayers’ information to the data handling laws of foreign countries. By keeping the data in-house, compliance with the Privacy Act is simplified and user data is better protected.
• However, a tax filling platform developed by CRA would not address the issue of credential re-use. This issue relates not to the CRA’s systems and software, but to users’ security habits, such as re-using the same passwords across multiple online platforms.

Background

• In the 2020 Speech from the Throne, the government committed to “work to introduce free, automatic tax filing for simple returns to ensure citizens receive the benefits they need.”
• The CRA maintains a list of EFILE certified software, which verifies that a vendor’s software is compatible with the CRA EFILE electronic tax filing service. The CRA submitted a PIA on EFILE in April 2022.
• The PIA was reviewed through the triage process but did not undergo a secondary review as the risks (specifically that a large volume of sensitive personal information is collected for a large population of individuals, and transmitted using wireless technology) were considered appropriately mitigated.

• Note that this PIA addressed how the CRA manages the personal information of individuals who file on behalf of others; it did not explain or examine how they certify the specific software products that individuals can use to file with the CRA.