CRA accounts locked as "preventative measure" for digital security

The Canada Revenue Agency provided more details Wednesday about why some Canadians received alerts that their email had been removed and their online accounts locked.

Some taxpayers had their accounts locked Tuesday as a “preventative measure,” CRA spokesperson Christopher Doody told Daily Hive via email.

“In today’s increasingly digital world, organizations must constantly take steps to safeguard sensitive information against constantly evolving threats,” he said.

In this case, an internal CRA analysis found evidence that some people’s user IDs and passwords may have been compromised, leaving them available for use by unauthorized individuals, Doody said.

“These credentials were not compromised as a result of a breach of CRA’s systems. Rather, they have been obtained through a variety of means by sources external to the CRA,” he said.

From there, the CRA began locking the accounts as a “precautionary security measure.”

The unexpected mass lockouts caused worry and frustration Tuesday afternoon as people called the CRA’s jammed phone lines for help. Many were stumped with a mysterious “ERR.021” message as they tried to re-establish access.

“I’m not sure if it’s my identity that’s being stolen or the CRA is being hacked,” Vancouver resident Dan Larson told Daily Hive on Tuesday. “I can’t contact them.”

The CRA now says the locked accounts were not impacted by a cyber attack.

• See also:
  • Canadians are getting alerts from CRA saying their email has been removed
  • “Just frustrated and worried”: Canadians react to mass CRA lockouts
  • CRA says email removals were not due to a security breach

The tax administrator says it will work with impacted Canadians to get back into their accounts with new credentials.

“There is no urgent need for taxpayers to contact us imminently unless they are an emergency benefit applicant and have active applications in our system,” Doody said. “We will prioritize these calls to minimize delays in the delivery of these crucially important emergency benefits.”

On Tuesday, Doody said taxpayers who have been locked out of their online accounts should expect a letter via snail mail with instructions about what to do. He did not answer questions about when those letters would be sent out.

The CRA was the victim of a cyber-attack back in August 2020, where more than 5,000 accounts were compromised. Since then, Doody said the CRA has introduced several new safety measures, including multi-factor authentication.

It’s not clear if these lockouts were related to the addition of a new security measure.

The CRA did not answer questions about how many Canadians have been locked out of their accounts.