A big thanks to Quest's Jackson Shaw for pointing us to a story in the Vancouver (BC) Sun at the end of July. Under the headline "Tax collector accessed private files for gain," the newspaper reported that "A tax collector in B.C. [British Columbia, Canada] used the Canada Revenue Agency's computers to look up the private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side, according to internal government documents."
A big thanks to Quest's Jackson Shaw for pointing us to a story in the Vancouver (BC) Sun at the end of July. Under the headline "Tax collector accessed private files for gain," the newspaper reported that "A tax collector in B.C. [British Columbia, Canada] used the Canada Revenue Agency's computers to look up the private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side, according to internal government documents."
This wasn't a hit and run attack, though. "The CRA's internal investigation report, obtained by The Vancouver Sun through the Access to Information Act, reveals the woman's 'deliberate and systematic' mining of taxpayer information went on for four years before being detected," reports the paper.
10 of the worst moments in network security history
And, finally, the Sun notes, "The CRA confirmed this week that it has no plans to notify the taxpayers involved that their personal information was improperly accessed." CRA spokeswoman Caitlin Workman told The Sun in an e-mail: "In these specific instances, the risk assessment determined that the taxpayers whose information was accessed would not be informed since there was no risk of injury."
There are so many things wrong here.
1) Why weren't controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2) Why did it take four years for someone to realize that there were shady dealings going on?
3) How did CRA determine the "risk of injury"?
4) Why aren't the affected parties notified whenever there's a breach?
This incident could be the poster child for why you need governance, oversight and access control policies -- and enforcement. In this day an age it's not hard to implement, and in many places it's required by government fiat. Of course, most government's always exempt themselves from the fiats they enact.
Now it may be that the CRA closely questioned the woman and accepted her word that she didn't pass on data to other parties. But the story notes that "when CRA investigators searched the woman's workstation, they found 407 social insurance numbers handwritten on various scraps of paper, envelopes and notepads scattered across her desk." Which would be available to anyone walking past, the cleaning crew, other visitors, etc. Who knows what they might have done with this information?
Best to review your governance, oversight and access control policies now -- before your organization features prominently (and ashamedly) in a newspaper headline!