CRA Accounts locked on February 16, 2021:
In February, an analysis revealed evidence that some user IDs and passwords used to access CRA accounts may have been obtained by unauthorized third parties. We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.
Out of an abundance of caution, and to prevent unauthorized access to these accounts, the CRA took swift action to lock these accounts. Impacted individuals, with email addresses on file, were notified that their email was removed from their account on February 16.
The CRA continues to conduct routine checks and analyze user IDs and passwords for any unauthorized access. Through this ongoing work, additional user IDs and passwords have been identified as being available to unauthorized individuals. Like the accounts that were locked in February, these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA. The total number of accounts impacted is roughly 800,000.
Locking accounts in this manner is part of normal CRA operations. However, as tax season has begun, and with the recent media coverage of the email notifications some Canadians received a few weeks ago, we wish to make sure Canadians are properly informed on this matter.
Next steps
As a preventative measure, these additional CRA user IDs and passwords, along with those associated with locked accounts in February, will be revoked and instructions will be made available to impacted individuals on how to re-gain access to their CRA account. We will begin revoking these CRA user IDs and passwords starting March 13, 2021. We will be notifying impacted individuals with instructions on how to re-gain access to their CRA account as of this time.
It should be noted that these preventative measures are not isolated incidences and may become more frequent to safeguard taxpayers’ information.
If they attempt to login to their CRA account with a user ID and password that has been revoked, impacted individuals will receive an error message to inform them that their CRA user ID has been revoked. The error message will link them to information on how to re-gain access to their account.
Impacted individuals who have signed up for CRA My Account email notifications will receive an email with instructions. Otherwise, they will receive the same instructions by mail.
For more information on revoked user IDs and passwords, please visit our webpage: https://www.canada.ca/en/revenue-agency/corporate/security/revoked-userid.html
What impacted individuals can expect
Individuals can re-gain access to their CRA account by going to the CRA login page to create a new CRA user ID and password or by using a different login method.
An individual can have more than one login method associated with their CRA account. If one user ID and password is revoked, it does not necessarily mean the other login methods can’t be used. For example, other log in methods used to access a CRA account could include using a different CRA user ID and password, your banking login or through BCID, (using your BC Services Card).
If individuals are unsuccessful in their attempt to use online options to re-gain access to their CRA account, we ask that they attempt to access their online account again after March 22, 2021. If they are still unable to access their account, they should call the CRA after this date.
It is important to note that impacted individuals can continue to file their income tax return online using NETFILE certified software, and can apply for emergency benefits once a different login method is used, or a new CRA user and password is established.
How to practice good cyber hygiene
In addition to the measures the CRA takes to ensure the security of personal information, Canadians’ vigilance in protecting account information is an essential layer of security. All Canadians should monitor their CRA accounts for any suspicious activity including unsolicited changes to banking, mailing address or benefit applications made on their behalf. In addition, passwords should be updated regularly.
Communications Security Establishment’s Canadian Centre for Cyber Security (Cyber Centre) is the government’s technical authority on cyber security-related matters. The CRA works in coordination with the Cyber Centre to help improve our services and to offer resources to help Canadians practice good cyber hygiene during Fraud Prevention Month and throughout the year.
In order to prevent incidents of unauthorized access and use of taxpayers’ accounts, we strongly encourage Canadians to:
- Create a personal identification number (PIN) in My Account to help confirm their identity on future calls with the CRA.
- Sign-up for e-mail notifications, a service that notifies Canadians by email if their address or direct deposit information has been changed on their CRA account.
- Monitor their account regularly for suspicious activities such as unsolicited changes to address or direct deposit information, or benefit applications made on their behalf.
- Make sure their personal and business information is up to date.
- Install software to remove all malware from computers and devices to ensure user IDs and passwords remain protected.
We remain committed to supporting Canadians during the COVID-19 pandemic and providing digital services that are reliable and secure. Good cyber hygiene is important today, more than ever, as more programs and services are offered online.