OTTAWA: The Canada Revenue Agency has fired an employee for the biggest single privacy breach ever detected involving confidential taxpayer accounts. The employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes. The incident happened in an agency office in the Prairie region before March 23, 2016, when an investigation was launched, says an internal report.
“No changes were made to any of the accounts,” says the document, obtained by CBC News under the Access to Information Act. “The type of personal information included: name, contact information, social insurance number, income and deductions, and employment information. … Law enforcement will not be notified.” The document does not identify the worker or the precise date and location of the breach. A spokesman for the CRA acknowledged the incident, but played down the impact. “This represents the largest such breach at the CRA when measured by numbers of accounts,” Patrick Samson said in an email. “However, it’s important to note that these (1,264) accounts were viewed for approximately two seconds per account. … The employee in question was terminated for their actions.” The internal investigation into the breach concluded Nov. 16, 2016, with a decision to notify the 38 individuals that their accounts had been improperly scrutinized.