CANADA SECURITY LAPSES AT REVENUE CANADA GOVERNMENT AGENCY The Globe and Mail: Security lapses found at Revenue Canada

Sunday, June 5, 2005 Updated at 3:19 PM EDT

Halifax

Months after they left their jobs at the Canada Revenue Agency, a handful of former employees in the Atlantic region still had the ability to access sensitive case files belonging to taxpayers, a recent federal audit concluded.

The security lapse involved identification codes and passwords that employees use to log into the agency's central computer.

“In many cases, mainframe user IDs remained active months beyond an employee's termination date,” said the review by the federal Corporate Audit and Evaluation Branch, and obtained under an access to information request by The Canadian Press.

The review said mainframe access, at the time of the audit, remained active for 26 per cent of employees who either left the department or the civil service from January 2002 to May 2003.

The tax files of millions of Canadians are stored in the agency's computer.

The evaluation also pointed out that the computer housed 351 identification codes — more than double the 170 employees who work in the region and have access to tax records.

Some staff had two or three identifications assigned to them.

Nearly 65 per cent of all of the codes had not been used in a year, while some had not been used since 1995, said the December 2004 audit.

Not all Canada Revenue staff have access to tax files, but those who do are only allowed to retrieve data when they are working on a case.

The audit found that employees were well aware of their personal responsibility not to access unauthorized client information; however, not all of them knew they were responsible to report unauthorized access when it involved another staff member.

Despite the oversights, an agency spokesman said authorities can find no evidence that former employees retrieved any sensitive files.

The audit only uncovered a risk to the system and no tampering, said Roy Jamieson.

“These are audits we request to uncover these very kinds of risk,” he said.

“Deficiencies in the system don't catch us by surprise. We go looking for them.”

But the explanation doesn't satisfy a taxpayers' lobby group that accused Revenue Canada of becoming increasing sloppy with its handling of sensitive information.

The executive director the Canadian Taxpayers' Federation said at a time when identity theft is becoming more common, Ottawa should have been more vigilant.

“If someone's information is removed, stolen or used improperly, that has a real effect on individuals,” said John Williamson.

“This is a question of confidence between government and its citizens.”

As Canada Revenue computers are on a local area network and not accessible from outside of the various offices, Jamieson said it would have been difficult for ex-staff members to tamper with the system, unless they were actually in a tax office.

As a result of the warning, redundant identification codes are being cleaned out of the computer and those that are still active but unused after 60 days will automatically expire, said the audit.

Federal tax offices throughout Atlantic Canada, including those in Halifax, Saint John, N.B. and St. John's, Nfld., were part of the review, which took place from May to September 2003.