Income-tax security worries raised even before Heartbleed bug hit: report
OTTAWA – The Internet bug known as Heartbleed that surfaced in early April hit the Canada Revenue Agency just as it was trying to expand its online services for individual taxpayers.
Focus groups consulted in the weeks before word of the bug triggered a five-day shutdown of income-tax servers suggest Canadians were already wary of online security at the agency.
The bug forced the agency to suspend its online tax-filing system on April 8, the height of tax season, and led to the theft of about 900 social insurance numbers from Canadians who had used the service.
The major security breach happened shortly after a focus-group project asked Canadians whether they would use new online services allowing them to submit receipts and other documents electronically, and to transfer money directly to the government online.
“The only concern mentioned with some frequency … was security of personal information,” says a March report, commissioned from Phoenix Strategic Perspectives Inc. for $53,000.
“Participants queried the secureness of the service and wondered about the potential for security breaches and loss of privacy.”
The agency is examining whether individual Canadians would use a payment system that allows money to be sent directly to the government without a financial institution as an intermediary, as is done by some businesses already.
Many participants told Phoenix they did not trust the Canada Revenue Agency, and worried the government could access private financial information or even withdraw money without approval.
There was more support for the online document-transfer service, but concerns about security remained.
A spokesman for the agency says the theft of the 900 social insurance numbers has apparently not led to any further crime.
“To date, the CRA has no evidence of fraud or theft in relation to any taxpayer affected by the compromise of CRA systems,” Philippe Brideau said in an email.
“The agency has also applied additional protections to the CRA accounts of all affected individuals to prevent any unauthorized activity.”
Brideau said almost a million tax returns were filed in the first 24 hours after the online service was restored April 13, when a Heartbleed patch was finally installed.
The total number of returns filed online as of last week is over 21 million, or 80 per cent of all returns received, compared with 76 per cent last year. The agency hit the 80 per cent threshold earlier than its 2016-17 target.
“Clearly, taxpayers have confidence in the security of CRA’s online services,” he said.
Brideau added that the Heartbleed episode has not delayed or changed the agency’s plans to expand online services for individuals.
The RCMP have charged Stephen Arturo Solis-Reyes, 19, of London, Ont., in connection with the Heartbleed breach at the agency.
The agency came under criticism for taking more than a day to suspend its online service after learning of security warnings about the bug.
The Canada Revenue Agency has been pressing more Canadians to use the online filing service largely because electronic returns cost only 80 cents to process, compared with $3.20 for paper returns that must be manually keyed or scanned.