TORONTO -- Following a precautionary mass account suspension, cybersecurity experts say the Canada Revenue Agency (CRA) needs to “get serious” about its online security.
This comes after the CRA announced Friday it would be locking out 800,000 online taxpayer accounts following an internal investigation that found user logins and other sensitive information may have been hacked.
“The CRA needs to get serious about security for taxpayers,” tech expert Carmi Levi told CTV National News.
Levi says the CRA serves as a guardian for some of the most important and personal information belonging to Canadians, and protecting it should require more secure passwords and two-factor authentication, which would require users to input a code sent to their phone number in addition to their password to login. The CRA offers this feature, but it's not mandatory to use its web services.
“The time to implement two factor authentication was last summer after the first security event - not months later - and then only making it optional for Canadians,” said Levi.
The mass account suspensions have left many in limbo waiting hours before they are able to get answers in regards to their account information.
In what might be considered the most complicated tax season yet, Canadians who have lost access to their accounts will be unable to regain access until at least March 22, according to the CRA.
Taxpayers can however re-gain access to their CRA account by going to the CRA login page and creating a new CRA user ID and password or by using a different login method associated with their CRA account, the agency says.
“When you consider an account compromised it doesn’t necessarily mean it’s been assessed, it simply means that there is a risk of the account credentials having been lost, stolen or shared,” cybersecurity expert Claudiu Popa told CTV National News.
In August the CRA temporarily shut down its website after thousands of Canadians had their accounts hacked. In February, the agency suspended accounts again over fears of yet another external threat.
The latest account lockouts are a precautionary measure, and the CRA is encouraging users to update their secure login information, but not everyone is impressed with the initiative.
“I already spent 12+ hrs on hold after MyAccount locked in Feb. Now I’m locked out of my new account (with new UNIQUE login/ultra secure pw/2 factor auth) during tax season. What gives @Can Rev Agency," one users wrote on Twitter Saturday.
“I'm one of the 800,000 Canadians locked out of my CRA account today. Wonder how the 'dark web' obtained my password credentials? I think the CRA should give all of us more information about the particular third party breach," tweeted another.
