Cutting corners: People expect security when trusting the government with their tax information. Recently, however, a security software developer has accused Canada’s government of dodging that responsibility with lackluster cybersecurity and suspicious terms of service alterations. The changes come after recent hacks impacted Canada’s tax agency.
The Canadian Revenue Agency (CRA), which handles the country’s taxes, has new terms and conditions absolving it of any liability if its online services suffer a data breach. The change affects the entire country because all Canadian citizens and businesses must handle their taxes through the CRA, thus trusting their personal information with the agency. Because it holds the personal information of virtually every Canadian taxpayer, the CRA could be an extremely attractive target for identity thieves or other hackers.
The updated terms of service say the CRA isn’t responsible for the damages users suffer if someone hacks the agency’s My Account portal. The CRA claims it has done everything it could to prevent cyberattacks but cannot guarantee foolproof protection.
Such contracts might be acceptable if the agency had the best possible, or at least a very good, cybersecurity apparatus. Unfortunately, Tanya Janca, founder and CEO of security software developer We Hack Purple, claims the CRA neglects many basic security precautions.
I must accept this risk because CRA did “all reasonable steps to ensure the security of this Web site”. No you did not! You did not use any of the recommended security headers and you did not use secure configurations on your cookies! Those are secure coding BASICS! pic.twitter.com/uJCMXcVpbC
— Tanya Janca (@shehackspurple) February 20, 2023
Janca’s review of HTTP responses in the My Account portal’s login page suggests the site’s cookies lack any protection and that it doesn’t use all the recommended security headers. The ToS also forbids users from scraping the site’s code, but Janca doesn’t think that will stop anyone determined to penetrate the service.
The ToS changes could be in response to a rash of security-related incidents that have impacted the agency over the last few years.
During the summer of 2020, thousands of CRA accounts fell victim to credential stuffing attacks, in which hackers use email addresses, usernames, and passwords gained from prior breaches to steal other accounts that use the same credentials. In 2021, security concerns led the CRA to lock 800,000 taxpayers out of their accounts.
One victim filed a class action lawsuit against the government last August. The victim’s account was stolen, and their direct deposit information had been changed as part of a COVID-19 financial assistance scheme.
So far, the CRA hasn’t responded to Janca’s information requests. She plans to give a presentation on the issue at the Privacy & Access Council of Canada’s Privacy & Data Governance Congress on March 10.