CRA says account lockouts not due to security breach
Posted February 17, 2021 6:49 pm.
Last Updated February 17, 2021 9:15 pm.
Countless Canadians remain locked out of their Canada Revenue Agency online accounts, due to what the CRA says is compromised user credentials.
The office of the Minister of National Revenue say there was no security breach, but an investigation found user ID’s and passwords that could have been compromised through another site.
Deanna Howlett of Mississauga says she was locked out on Tuesday but when she tried to call the CRA, she was on hold for hours before being told there was nobody to help her.
“I sat on hold for three hours and 20 minutes, all this time, listening to their elevator music and being told the next available representative will be with me shortly,” said Howlett. “And then that same voice, that pre-recorded voice said ‘we’re presently having technical difficulties and cannot transfer your call to an agent, thank you, goodbye’ and it hung up!”
Howlett got an email from CRA Tuesday afternoon, saying her email had been removed from her account. She tried to log inbut her account was blocked. Many other Canadians tweeted and posted to social media about similar experiences, and shared their long wait times on hold – in some cases six hours. Howlett says she’s especially upset as the CRA announced just this month it hired more phone agents to deal with the pandemic tax season.
“They should have it better manned than that. I get that there’s peaks and valleys through the day, but the wait should not be three hours and 20 minutes and you still don’t get to speak to anyone,” she said.
In a statement to CityNews, the CRA says the lockouts happened because it found some user ID’s and passwords that could have been compromised but underlined this wasn’t because of a security breach. Officials with the minister of National Revenue say a breach might have happened at a third-party site, where users might use the same log in or passwords as on the CRA website.
Alana Staszczyszyn, a cybersecurity consultant, says it’s normal for people to expect clearer communication from the CRA, especially after the agency was hacked last summer.
I think the biggest thing is, as we’ve been talking about, a clear disclosure of what’s happened. Becuase I think the biggest issue is everyone assuming it’s a breach and that’s a very fair assumption. But we don’t actually know. The messages in their account lockout don’t say.”
Last summer, a credential stuffing attack that affected tens of thousands of Canadians forced the CRA to temporarily shut down all of its online services.
Anyone impacted this time around will get a letter in the mail from the CRA informing them how to unlock their accounts.
