Special report to Parliament: Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks
This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.
- Inadequate identity and credential assurance measures
- Insufficiently informed and accountable security decision-making
- Lack of effective monitoring and timely breach containment
- Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)
Findings of contravention against CRA and ESDC, with corrective actions accepted conditionally.
The investigation found that both CRA and ESDC failed to implement adequate safeguards to protect sensitive personal information from unauthorized disclosure and modification, contravening provisions of the Privacy Act. Corrective actions were accepted conditionally.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended and the departments accepted recommendations for improved identity assurance, multi-factor authentication, informed security decision-making, and effective monitoring, with some actions contingent on funding.
- s. 8 Privacy Act
- s. 6(2) Privacy Act
This summary is for informational purposes only and does not constitute legal advice.