The Canada Revenue Agency (CRA) is committed to protecting the personal and tax information of Canadians. Fraud Prevention Month reminds us of the importance of taking appropriate steps to safeguard sensitive information online.
Update: Accounts locked on February 16
In February, an analysis revealed evidence that some user IDs and passwords used to access CRA accounts may have been obtained by unauthorized third parties. We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA's online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.
Out of an abundance of caution, and to prevent unauthorized access to these accounts, the CRA took swift action to lock these accounts. Impacted individuals, with email addresses on file, were notified that their email was removed from their account on February 16.
The CRA continues to conduct routine checks and analyze user IDs and passwords for any unauthorized access. Through this ongoing work, additional user IDs and passwords have been identified as being available to unauthorized individuals. Like the accounts that were locked in February, these user IDs and passwords were not compromised as a result of a breach of CRA's online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA. The total number of accounts impacted is roughly 800 thousand.
Locking accounts in this manner is part of normal CRA operations. However, as tax season has begun, and with the recent media coverage of the email notifications some Canadians received a few weeks ago, we wish to make sure Canadians are properly informed on this matter.
Next steps
As a preventative measure, these additional CRA user IDs and passwords, along with those associated with locked accounts in February, will be revoked and instructions will be made available to impacted individuals on how to re-gain access to their CRA account. We will begin revoking these CRA user IDs and passwords starting March 13, 2021. We will be notifying impacted individuals with instructions on how to re-gain access to their CRA account as of this time.
It should be noted that these preventative measures are not isolated incidences and may become more frequent to safeguard taxpayers' information.
If they attempt to login to their CRA account with a user ID and password that has been revoked, impacted individuals will receive an error message to inform them that their CRA user ID has been revoked. The error message will link them to information on how to re-gain access to their account.
Impacted individuals who have signed up for CRA My Account email notifications will receive an email with instructions. Otherwise, they will receive the same instructions by mail.
