The Canada Revenue Agency reports 29 breaches involving employees
|
Date Reported:
6/20/10
Organization:
Government of Canada
Contractor/Consultant/Branch:
Canada Revenue Agency
Location:
Undisclosed
Victims:
Canadian Taxpayers
Number Affected:
Undisclosed
Types of Data:
"confidential tax files"
Breach Description:
"OTTAWA—Dozens of workers at Canada’s tax agency have been caught snooping on their ex-spouses, mothers-in-law, creditors and others by reading confidential tax files."
Reference URL:
The Canadian Press
CFRA 580 News Talk Radio
Report Credit:
Dean Beeby, The Canadian Press
Response:
From the online sources cited above:
OTTAWA—Dozens of workers at Canada’s tax agency have been caught snooping on their ex-spouses, mothers-in-law, creditors and others by reading confidential tax files.
Internal reports at the Canada Revenue Agency show that rogue employees are improperly reviewing the private financial affairs of taxpayers without their knowledge.
And some are using agency computers to give favoured treatment to colleagues, friends, family — and themselves.
[Evan] Wow! I guess I shouldn't be a surprised as I am.
In one egregious breach last October, a woman accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians.
She downloaded the files onto 17 compact discs for her personal use, inexplicably helped by agency technicians.
[Evan] Again, wow! What in the world would this woman be doing with this much sensitive information, and what were these "agency technicians" thinking? These are probably not the type of people that I would want working for me.
Documents outlining the forbidden invasions into private tax data were obtained by The Canadian Press under the Access to Information Act.
In one case, a worker secretly operated a business on the side with her spouse, and between 2004 and 2009 “accessed the accounts of two creditors and the spouse of one of those creditors.”
Another worker was found to have inspected his spouse’s tax information 69 times without permission.
A woman in one unidentified office poked into the agency’s data looking for confidential information on colleagues, friends and family — apparently to give them a break on their taxes.
“The employee made unauthorized access to the tax information of three colleagues and to the tax information of a colleague’s daughter, spouse and mother,” says one report.
“She accessed her own tax information and the tax information (of) 13 relatives.... She provided preferential treatment to colleagues, relatives and acquaintances.”
“The investigation also determined that 13 other employees of the same office made unauthorized accesses to taxpayer information. Of the 13 employees, 10 provided preferential treatment to taxpayers, five accessed their own tax information, four received preferential treatment ...”
Another worker peeked at secret agency information about two companies she operated on the side — while those firms were undergoing tax audits.
“In addition, the employee made extensive unauthorized accesses to the taxpayer information of friends and family members and hundreds of other individuals.”
Yet another investigation found an employee peering into the electronic tax files of two of her spouse’s business partners, though the motive is not specified.
[Evan] Motive is important, but these people knowingly (I assume) broke rules and potentially the law by these activities. This is a huge breach of trust.
The documents show that ex-spouses are sometimes targeted, for reasons not made clear in the heavily censored material from September and October last year.
Family members were also a favoured target.
Some workers who were caught claimed they were simply helping relatives file their income-tax forms.
[Evan] They may have been "simply helping relatives", but they are simply breaking rules and ethical standards too!
But one worker admitted using the CRA computer system and confidential tax information to issue himself a false charitable donation receipt for $3,000, thus reducing his income-tax payable.
Agency records for 2008-2009 show there were 29 cases in which workers were caught accessing taxpayer records without authorization, about the annual average for the last five years.
[Evan] There were 29 cases in which workers were caught, but we have to wonder how many cases went unnoticed. Kudos to CRA internal processes for auditing and documenting the cases that were identified.
And there were a dozen instances in 2008-2009 in which tax records were improperly disclosed to third parties.
All information about disciplinary measures taken against staff who broke the rules is censored in the released documents.
But in several cases, the agency appeared to be lenient with long-term employees.
[Evan] What does it tell you about an organization when they show leniency to employees who knowingly violate policy? What good is a policy if it is not strictly enforced? You're just wasting your time. Canadian taxpayers should be angry.
“The employee admitted that she accessed the taxpayer information belonging to a former employer, her relatives including her mother, her father, her sister and her brother, as well as the information belonging to her former spouse,” says one report.
In deciding on discipline, “management took into consideration the employee’s years of service, her good employment record and her co-operation with the investigation.”
A spokesman for the agency said the number of breaches is relatively small, given that there are more than 40,000 employees.
[Evan] Well, maybe. The report highlights the breaches in which employees were caught. We don't know how many employees were not caught, or how many other types of breaches may have occurred (mistakes, lost/stolen equipment, lost/stolen media, lost/stolen documents, etc., etc.). 29 identified breaches involving employee fraud is pretty significant even in an organization employing 40,000 individuals.
“While the number of unauthorized access incidents is not large, the agency consistently continues to review its activities to enhance ... prevention, detection and deterrence,” Noel Carisse said in an email response to questions.
Carisse said taxpayers are not always informed when workers improperly access files because the breach may be judged too minor.
[Evan] The owners (taxpayers in this instance) of the information should be left to judge if the breach is "minor", not the custodians (CRA in this instance) of the information.
But taxpayers whose information is improperly disclosed to third parties are almost always alerted by telephone or mail.
[Evan] Almost always? Is there any kind of standard used?
“The (CRA) assessment will almost always lead to the conclusion that injury to the taxpayer is likely, or has already occurred,” he said, referring to disclosures.
Carisse did not provide information on the numbers of employees suspended, fired or criminally charged for such breaches, but said the agency has a “strict and enforced Code of Ethics and Conduct.”
“While any unauthorized access is unacceptable, the agency believes that the current numbers indicate that the agency is doing a good job protecting taxpayer information.”
[Evan] A "good job" is a subjective assessment made by the very people who are the subjects of the assessment. What the?
He declined to provide any further information on the worker who downloaded 37,500 emails and 776 documents, saying only that the investigation continues.
There have been previous reports of isolated security breaches by insiders at the tax agency.
CTV News reported last year, for example, that a tax agency worker was found to be leaking confidential information to a violent gang in British Columbia.
The worker was suspended months after the agency was first alerted to the problem through a police wiretap.
Commentary:
I'll give some benefit of the doubt, but this seems like a larger mess than what we are lead to believe. CRA seems content that everything is OK, and I guess it will be unless someone decides to do something about it. Canadians unite! ;)
Past Breaches:
Government of Canada: Numerous
Posted by Evan Francen at 6/22/2010 10:55 AM 
Categories: Government of Canada, Employee Fraud, Canada Revenue Agency
Categories: Government of Canada, Employee Fraud, Canada Revenue Agency
Posts Atom 1.0
Comments