The Lockout: Communication Was the Key
An examination into the Canada Revenue Agency (CRA)'s lack in communication when it locked out 187,000 Canadians from their CRA account in February 2021.
Office of the Taxpayers’ Ombudsperson
1000-171 Slater Street, Ottawa, ON K1P 5H7
Telephone: 613-221-3109 | Toll-free: 1-866-586-3839
Fax: 418-566-0321 | Toll-free: 1-866-586-3855
© Minister of Public Services and Procurement Canada 2022
Cat. No.: Rv10-22/2023E-PDF
Lead Systemic Examination Officer:
Manager Complaints and Examinations:
Line De Matteis
Graphic Design and Layout:
nineSixteen Creative Inc.
We went into this examination mindful of the context in which the Canada Revenue Agency (CRA) was operating in February 2021.
Specifically, months earlier, in the summer of 2020, “credential stuffing” attacks perpetrated some CRA Accounts and GCKey service. GCKey service is used to access multiple government online accounts. These cyber attacks were acknowledged by the Government of Canada’s Chief Information Officer and lead the CRA to take further steps to secure its accounts to prevent fraud from being perpetrated by bad actors. This was especially important at the time because applications for many COVID-19 benefits were still open.
In addition, during this period, and in the months that followed, the CRA was receiving significant media attention because some COVID-19 benefit recipients were being told there might be issues establishing their eligibility for the payments they received, and that they might need to repay some of these amounts if their eligibility could not be confirmed.
While we acknowledge the CRA had multiple competing priorities at the time, its lack in communication after it unintentionally emailed 119,200 Canadians lead to many becoming aware that they were locked out of their CRA Account while at the same time were not immediately informed as to why.
While secrecy may be a tool in cybersecurity, the CRA identified that there were shortcomings in its coordination and communication efforts because it needed to deploy new security measures quickly.
This report lays out the importance of timely communication even at times when there are competing priorities. Complete, accurate, clear, and timely information is what Canadians expect of the CRA, especially in times of crisis. The CRA should take all necessary steps to ensure this does not happen again. While the CRA quickly improved its process for securing accounts to be less disruptive and more informative, the recommendations in this report will help the CRA deliver information to Canadians for all situations, in a timely manner.
Mandate of the Taxpayers' Ombudsperson
The mandate of the Ombudsperson is to assist, advise, and inform the Minister of National Revenue about any matter relating to services provided by the CRA. It is set out at Article 4 of the Order in Council P.C. 2020-0703. We fulfill this mandate by communicating, facilitating, examining, and influencing.
Everything we do starts with you. Once you make a complaint with us, we will contact you to listen and discuss your issue. We are impartial and objective. We will neither advocate for you or the CRA. We will conduct an independent review of your complaint, and if we identify a service gap, we will work to resolve it.
Further, we reach out to organizations to inform them of our services and listen to the issues they and their clients or members are experiencing with the CRA’s service.
If you have a service issue and calling the CRA does not resolve the issue, then you can file a complaint with CRA Service Feedback at Canada.ca/cra-service-feedback. CRA Service Feedback allows Canadians to submit a complaint, or provide positive feedback, to the CRA.
If you submit a complaint to us, and you have not filed a complaint with CRA Service Feedback, we can facilitate this process for you. Sometimes issues can only be solved by talking to someone at the CRA. We can facilitate this contact if your situation is compelling.
We generally consider situations compelling if waiting for the CRA Service
Feedback to finish its review will:
- limit you from having the basic necessities of life
- limit your business from operating
- significantly impact your mental health and/or reputation
If CRA Service Feedback does not resolve your service issue, contact us. We can examine the issue. We will review the CRA Service Feedback response and case. We will ask you and the CRA questions, analyze the information we receive, and provide you with our findings.
We also look into trending issues we hear from complainants. If we identify a trend, we will review it to see if we can play a role in addressing it, with the CRA’s help.
Our goal is to make meaningful, feasible recommendations to improve the quality of service the CRA delivers. These recommendations can impact a specific taxpayer or a segment of the population.
What we do
We are here to improve the service the CRA provides to taxpayers by reviewing service complaints. We also look at issues that can affect more than one person.
A taxpayer is generally someone who is liable to pay a tax, eligible for a benefit, or provided with a service by the CRA.
We review unresolved service issues linked to eight of the service rights outlined in the Taxpayer Bill of Rights. To view the eight rights we uphold, go to Canada.ca/oto-your-rights.
We can also facilitate contact from the CRA when a situation is compelling. Further, if a service issue affects more than one person or a segment of a population, we can review it to determine if there is an underlying issue so we can provide recommendations to resolve it.
In addition, we reach out to organizations, listen to Canadians, and carry out research to give a voice to vulnerable populations who may not otherwise be heard. This gives us a better understanding of Canadians’ impressions of the CRA and helps us focus our research on issues needing review.
We serve taxpayers and their representatives. We also serve vulnerable people who may not reach out to us directly.
Connecting with you
We are constantly striving to connect with more Canadians and become more well known. We encourage Canadians to take advantage of our free service, if they have any unresolved service issue with the CRA.
How we operate
The Taxpayers’ Ombudsperson reports directly to the Minister of National Revenue. While we do work independently from the CRA, we are administratively linked when managing financial and human resources. In other words, we do not have direct access to taxpayer information found in CRA databases but we do have processes in place, and with your consent, we exchange your information with the CRA to resolve your service complaint.
In early February 2021, right before the CRA opened the tax-filing season for 2020 income tax and benefit
returns, there was a considerable change in what we were hearing from complainants. We began hearing
about restricted access to their CRA accounts.
40% of complaints we received between February to March 2021 identified an issue related to their CRA Account.
This issue became front and centre at our Office on February 16, 2021, when we saw a spike in complaints about CRA accounts, heard first hand from Canadians, and saw reports in the media.
Figure - text version
The majority of Canadians rely on their CRA accounts to communicate with the CRA online.
CRA accounts allow:
- you to view your personal income tax and benefit information, and manage your tax matters online: change your return, change your address or telephone number, sign up for email notifications from the CRA, authorize your representative or formally dispute your assessment or determination through My Account
- authorized representatives online access to the personal tax and benefit information and/or business account information of an individual or business, or your employer through Represent a Client
- businesses access to GST/HST, payroll, corporation income taxes, excise taxes, excise duties, and other levies accounts online through My Business Account
Affected CRA account users were all reporting being locked out of their account after receiving an email from the CRA which read/said:
Image - text version
Image text says the following:
Subject: Email Address Removed
– Canada Revenue Agency /
Adresse de courriel supprimée –
Agence du revenu du Canada
English version *** La
version française suit ***
This email address has been removed from your Canada Revenue Agency account.
You will no longer receive email
notifications to this email address.
This is an automated email
message. Please do not reply.
Version française *** The English version precedes ***
Cher/Chère ****** :
Cette adresse de courriel a
été retirée de votre compte de
l’Agence du revenu du Canada.
Vous ne recevrez plus les
avis par courriel à cette
adresse de courriel.
Ceci est un message
Veuillez ne pas y répondre.
We saw the unsolicited email caused many Canadians to be concerned, and we understood why: Canadians did not request the removal of their email address. In addition, the email they received from the CRA failed to provide any meaningful information. When verifying their CRA account to validate the information found in the email, an error message was provided indicating their account was locked and to call the CRA.
At this time, the CRA had not communicated to anyone, including the affected users, that it locked CRA accounts. However, given all the confusion and media coverage on this topic it was clear the CRA needed to make a public statement. Doing so would have built trust with Canadians and helped the CRA fulfil its vision to be trusted, fair, and helpful by putting people first.
Many Canadians who were locked out of their CRA account followed the CRA’s instructions and called its contact centre, hoping to connect with an agent and regain access. This lead to an additional issue, as those who called the CRA became dissatisfied by their CRA contact centre service experience. While many were initially concerned about being locked out of their CRA account, they became frustrated when they were unable to reach an agent at the CRA to try and resolve the matter. Further, their frustration continued because even though the CRA’s contact centre was at capacity, the CRA still encouraged people to call when replying to them through its social media.
Consequently the CRA’s contact centre rejected many of these calls because its queues were full. However, even the callers who managed to get into the queue were dissatisfied, because for weeks they were forced to endure long wait times; callers reported getting prematurely disconnected and some who spoke with an agent, just got transferred to another queue to face even longer wait times.
For the Canadians who managed to get through in the first couple of days and regain access, they were still provided with little information as to why their email address was removed.
It wasn’t any easier for those who chose not to call to get clarity on why they received the email. This was because, for many hours, the CRA remained silent. On February 16, and for most of February 17, 2021, Canadians publicly expressed that they could not get the clarity they needed from the media, on Canada.ca, or from the CRA’s social media accounts on the reasons why they had received this email or why their access to their CRA account had been locked.
This lack of clear communication by the CRA is what lead us to opening this examination. Our goal was to examine the CRA’s communication efforts and identify any opportunities to improve its communication to Canadians.
Background and Timeline
From February 8–9, 2021, the CRA was reviewing CRA User IDs and Passwords, referred to as “credentials,” so that it could identify any that could potentially be compromised and give unauthorized access to CRA accounts.
These credentials may have been compromised by unauthorized third parties, external to the CRA, who may have obtained them through a variety of methods, such as email phishing schemes or third-party data breaches.
The CRA’s review identified 187,000 CRA accounts that could be accessed by potentially compromised credentials. To
secure the affected CRA accounts, the CRA locked them on February 11, 2021. Then, on February 16, 2021, the CRA removed the email addresses from 119,200 of these accounts. This allowed taxpayers to get paper mail sent to them, in the meantime, while they did not have access to their account. Normally, when the CRA removes an email address from a CRA account it sends out an automatic email to the taxpayer. This email is usually suppressed when the CRA is locking the account without first consulting with the taxpayer. However, this time, the CRA failed to prevent this email from getting sent out. This resulted in the CRA unintentionally sending out an email to each of the 119,200 taxpayers who had
an email address on file with the CRA.
Within approximately an hour, the CRA realized it had sent the emails in error and soon began to hear from the media.
The CRA provided responses to the media, and late on February 17, 2021, it provided additional information through its social media accounts.
Then 24 days later, March 12, 2021, it issued a statement, entitled: “Accounts locked on February 16” on Canada.ca.
Then 56 days after that, May 7, 2021, the CRA sent a letter to the 67,800 taxpayers who did not have an email address
on file with the CRA informing them their credentials were revoked.
Image - text version
- CRA analyzes 18.7 million credentials
- Identifies problematic credentials linked to 187,000 unique CRA accounts
- CRA locks out the 187,000 affected taxpayers from their CRA Account
2:30 P.M. EST
- CRA removes the email addresses from the 119,200 acccounts with an email address
- This removal triggers an automated message being sent to each taxpayer, normally surpressed
~2:30 P.M. EST
- 119,200 taxpayers recieved an unsolicited email indicating their email address was removed
3:35 P.M. EST
- CRA realizes an error occurs after it did not suppress the email from being sent out
4:47 P.M. EST
- Canadian Media outlets begin to report on the issue
9:25 P.M. EST
- CRA provides more information through its social media accounts and posts a bullletin on Canada.ca
8:54 P.M. EST
- CRA releases the statement, accounts locked on February 16, on Canada.ca
- CRA sends a letter to the 68,000 taxpayers who did not have an email address on file
The Impact on Canadians
To fully understand the impact the lockout had on Canadians, we needed to look at how it affected them.
The CRA indicates that it has embarked on a transformation journey to strengthen its service offerings to meet client needs and expectations by putting people first. Further, it indicates it wants to be more client-centric and has developed a new philosophy placing Canadians at the centre of its decision making. Its goal is to provide Canadians with “access to easy-to-understand, high-quality and consistent information, and proactive and personalized support, regardless of the
channel they prefer to use to communicate with the CRA.” Yet, its communications efforts, after it locked out 187,000 Canadians from their CRA account, failed to:
- put people first
- be client-centric
- provide consistent information regardless of the channel Canadians preferred to use
However, most importantly, the CRA did not recognize the impact its lack of action had on each affected individual and all other Canadians who put their trust in the CRA. Instead, they were left with a lack of proactive communication after it locked out thousands of Canadians from their accounts and unintentionally sent them an email in error.
After numerous communications with the CRA, we tried to get to the root of the problem. While the CRA acknowledged its communications efforts could have been better, it did not adequately acknowledge the impact its actions, or lack thereof, had on Canadians.
Even Canadians who did not receive an email from the CRA were impacted. We found that some were anxiously awaiting reassurance from the CRA that there was not a security breach. It took the CRA up to six days and five hours to inform Canadians that it locked their accounts and over one day and five hours to go public on social media and on Canada.ca after it realized it unintentionally sent the emails to 119,200 Canadians. This left many Canadians relying heavily on media
and others ultimately were left in the dark with no direct reassurance from the CRA.
At a time when “[c]lose to six in 10 (57 per cent) Canadians have seen fraud attempts increase …[,]” and soon after the CRA has had its own cyber incidents, it should have been especially aware and mindful of the impact its unsolicited email had on Canadians.
Understandably many Canadians after receiving the CRA’s email, questioned themselves asking:
Did my CRA account get hacked? Is this fraud?
Has there been a data breach?
In 2021, there were 106,974 reports of fraud in Canada, impacting 67,916 Canadians, losing 381 million dollars. Footnote 1
The CRA did not have to look much further than its own social media accounts to see that Canadians were questioning the email they received. They were reporting “Was the CRA just hacked?...” “…I am assuming it’s a glitch in the system or Cra has been hacked?...” “…did the CRA get hacked today?”, “My account has been hacked and it has been impossible to get through to anyone on the CRA fraud line…”
It was clear Canadians were questioning the reason they received this email. Many soon expressed that they were starting to feel anxious.
Canadians were anxious at the possibility their CRA account was compromised. This is because at the time the CRA was still administering many COVID-19 benefits. These benefits were a lifeline for many Canadians who relied on them to afford the basic necessities of food and shelter or to continue to operate their business. Some were scared at the thought the CRA could have been hacked and that access to their much needed benefits could be impacted.
Canadians reached out to the CRA indicating: “My email got removed; I am scared out of my mind right now…” and “This is scary…!”.
However, as the media became aware of the situation it reached out to the CRA and was provided more detailed information. This resulted in Canadians being reassured the CRA was not hacked. We observed, while Canadians began to express less anxiety, they soon began to voice their frustration with the CRA for its lack of communication.
We saw that Canadians demanded the CRA provide them with more information, and many of their pleas were left unanswered for over 29 hours.
To make matters worse, the CRA, which was usually very active on social media, averaging three Twitter posts per day in 2021, did not make a single post after sending the emails in error until over 29 hours later.
To us, Canadians were clear about what they needed: they needed direct communication. The CRA indicates that it will “read all direct mentions on social media,” yet despite reading what Canadians were saying it did not take any meaningful action within a reasonable time period.
Taxpayers indicated “Can you please provide communication about the emails that went out declaring email addresses removed and accounts getting locked down?” “it’s garbage that we as [C]anadians need to place this kind of mass pressure on such an institution (i.e. one that we cannot avoid using) to get communication. do better.” “I don’t know if I find comfort knowing that so many people are in this mess together, or disappointment that someone in communications is ignoring everyone’s concerns. Speaks volumes as to what privacy means for the CRA.”
A key aspect of the CRA putting people first philosophy should be to fully understand the impact its actions, or inaction, can have on Canadians. Hopefully, this report shines a light on what Canadians experienced and it encourages the CRA to communicate more proactively going forward.
Findings and Observations - The Crisis
One of the main issues of this examination was the fact that the CRA was not prepared to share information about the action it took. Although it did not communicate with Canadians in a timely manner after it locked out 187,000 Canadians and unintentionally emailed 119,200 of them, it should have been prepared to share information with Canadians as soon as it locked the accounts.
As a taxpayer, you can expect the CRA to provide you with complete, accurate, clear, and timely information. This is right 6 from the Taxpayer Bill of Rights.
Learn more about your rights and the eight rights we uphold at Canada.ca/oto-your-rights.
The CRA seemed to have a goal in mind: protect Canadians and perform an analysis of credentials that could be potentially compromised and misused by unauthorized third parties.
Having the CRA take action to safeguard accounts is commendable, and expected. With the increasing amount of data being stored online, Canadians and organizations need to be careful in securing online accounts to ensure that there is no unauthorized access to their accounts. Although the CRA knew the analysis would likely result in potentially compromised credentials and accounts being locked, it did not have a sufficient plan to immediately inform affected
Canadians of its action, and how to resolve it.
It is important to understand that even if the email sent in error had not been sent, those 187,000 accounts were already locked regardless. The CRA was not prepared to immediately inform the affected Canadians. This left many Canadians in the dark.
Recommendations in this systemic examination report are made to the Minister of National Revenue and the Chair of the Board of Management.
Image - text version
The Taxpayers’ Ombudsperson recommends the CRA conduct a formal review of its processes to ensure it has a flexible plan that provides for a coordinated effort to proactively inform Canadians, in a timely manner, namely on Canada.ca, through social and traditional media, and email about issues that could affect them.
Understanding of the issue
When examining this issue, we recognized it as a crisis for the CRA and the 187,000 Canadians impacted. Further, to effectively put people first at the CRA, it needed to look at this situation as a crisis, and not underestimate the situation or fail to recognize its seriousness.
Communicating in a crisis
To communicate effectively in a crisis, we must first understand how people process information during a crisis.
As part of our crisis research, we looked the Centers for Disease Control and Prevention’s Crisis and Emergency Risk
Communication (CERC), which “provides trainings, tools, and resources to help health communicators, emergency responders, and leaders of organizations communicate effectively during emergencies.” It also makes available a manual, Psychology of a Crisis, that describes the four ways people process information during a crisis.
They indicate people will:
- simplify messages
- hold on to current beliefs
- look for additional information and opinions
- believe the first message
From this, the CERC identifies four desirable traits that messages should have from the communicator.
Specifically, they should be:
- disseminated from a credible source
- accurate and timely
These four traits effectively capture what was needed during the CRA Accounts lockout crisis. Below we will examine how each could have had an impact on the lockout. Putting people first should start with keeping Canadians informed.
When we look at the messages the CRA provided during this crisis, some were neither direct, nor concise.
For example, the CRA’s main statement that was provided to many media outlets did not emphasize that:
- There was no cyber attack at the CRA
- There was no urgent need for Canadians to unlock their account, unless they needed COVID-19 benefits
The statement read:
The Canada Revenue Agency (CRA) would like to take the opportunity to clarify an alert that was sent on February 16 regarding the email addresses associated with some CRA accounts. Taxpayers may have received a notification from the CRA indicating that their email address has been removed from their account.
To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure. In today’s increasingly digital world, organizations must constantly take steps to safeguard sensitive information against constantly evolving threats. The protection of taxpayer information is of the utmost importance for the CRA. This is why we have stringent and ongoing measures in place to analyze and identify and mitigate against potential threats.
In this particular case, an internal analysis revealed evidence that some account credentials (i.e. user IDs and passwords) may have been compromised, and may be available for use by unauthorized individuals. These credentials were not compromised as a result of a breach of CRA’s systems. Rather, they have been obtained through a variety of means by sources external to the CRA. As a precautionary security measure and to prevent unauthorized access to these accounts, we took swift action to lock the accounts and are in the process of contacting the legitimate account holders to unlock their accounts.
We will work with impacted individuals to re-establish their credentials and unlock their accounts. There is no urgent need for taxpayers to contact us imminently unless they are an emergency benefit applicant and have active applications in our system. We will prioritize these calls to minimize delays in the delivery of these crucially important emergency benefits.
Canadians’ vigilance in protecting account information is also an essential layer of security. The CRA reminds all Canadians that it’s important to monitor their CRA accounts for any suspicious activity including unsolicited changes to banking, mailing address or benefit applications made on your behalf. Canadians are also encouraged to change their passwords regularly.
Since the occurrence of cyber incidents in summer 2020, the CRA has introduced a number of additional safeguards and proactive measures to increase the security of our online accounts, including the introduction of multi-factor authentication.
We thank Canadians for their patience as we work to reactivate accounts and remain vigilant regarding our online security to ensure the protection of taxpayer information. We regret this inconvenience.
For more information on how to protect yourself against fraud, please visit our website.
While the statements provided on LinkedIn and Facebook were simpler, its Facebook statement failed to inform Canadians there was no urgent need for them to unlock their account, unless they needed COVID-19 benefits. However, the CRA did do so on Facebook when it responded to taxpayers’ comments. It is clear the CRA overlooked the power of simple messaging in a crisis. This oversight likely lead to more questions from Canadians at a time when they needed clarity.
The CRA could have simply said:
To safeguard taxpayer information, we locked some CRA accounts. Credentials (i.e. CRA User IDs and passwords) used to access these accounts could have been comprised by a third-party, external to the CRA.
This was not caused by a cyber attack at the CRA.
Every affected account with an email address was sent an email indicating their email address was removed.
Do not contact us to unlock your account unless you’re in an urgent need for a COVID-19 benefit.
We will reach out to everyone affected.
This simplified messaging would have provided the necessary information to Canadians and emphasize that there was
no need to call. Further, it would have alleviated the additional issue the CRA caused to its Contact Centre at the start
of its 2021 tax season.
27,100 Canadians who were locked out of their CRA Account likely spent a combined total of nearly 3,000,000 minutes (50,000 hours) waiting on hold in the span of four weeks trying to talk to the CRA and ultimately regain access.
Unfortunately, all of this time was wasted because as early as February 23, 2021, the CRA was actively pursuing an alternative solution for taxpayers to regain access to their CRA Account, without the need to contact the CRA. Further, by March 1, 2021, the CRA was confident in this new approach, yet it failed to update its contextual alerts on its online services webpages to communicate this to Canadians. Rather, Canadians were presented with the same message on Canada.ca from February 17, 2021, until March 12, 2021.
The CRA should have made Canadians aware that it was actively pursuing an alternative approach to help them regain
access to their CRA Account. By doing so, it would have lessened the burden it caused to its Contact Centres, as well as the frustration and anxiety experienced by many Canadians.
Image - text version
The Taxpayers’ Ombudsperson recommends the CRA create an update schedule for its contextual alerts to ensure the information that it is still providing is helpful and up to date.
After this incident occurred, what we found to be of concern to Canadians as well as our Office, was the lack of information available on Canada.ca and the CRA’s reliance on social media to provide the full picture.
The Government of Canada’s website, Canada.ca, has built a reputation as being a credible source for all Government of
Canada communications and information (including its departments and agencies).
Due to the limited character count on certain social media platforms, any information posted on social media should
link to a Canada.ca webpage with more information. This is not just our view, but is also that of the Treasury Board of Canada Secretariat, which governs the mandatory guidelines for Government of Canada social media and web communications.
However, after the CRA emailed taxpayers it did not provide a link from its social media posts to Canada.ca, rather it provided a link to its LinkedIn page which was not easily accessible.
We knew the CRA needed to communicate to all Canadians, why didn’t they?
The CRA needed to communicate to all Canadians, as even non-impacted Canadians were questioning the CRA’s infrastructure and what was happening at the CRA.
Therefore, the CRA should have been prepared to reassure Canadians as soon as it realized what had happened.
The CRA has told our Office that if it were to publish a statement on Canada.ca, it would not have been direct enough. We respectfully disagree. A statement on Canada.ca is direct and comes from the foremost source. While posting a statement on Canada.ca may not reach each affected CRA account user directly, the CRA could have also emailed and mailed the same statement to the affected Canadians. Yet, the CRA indicates it could only email the statement if it added the emails back into its system and it chose not to. The CRA’s responses to the questions we asked during our examination demonstrated that the CRA created barriers to communicating with those affected. There may never be one perfect solution, but the CRA’s solution in this instance was insufficient.
Figure - text version
The Taxpayers’ Ombudsperson recommends the CRA ensure that it always provides a link for more information to the Government of Canada’s web presence, such as Canada.ca, from its social media posts.
While communication is key, consistency in the messaging is equally important. Consistency helps to build trust and
confidence in the messaging. However, for this crisis, the CRA was not consistent. Neither to its Contact Centre agents, the media, on Canada.ca, nor through its posts at the time on its social media accounts: Facebook, LinkedIn, and Twitter. While each of the CRA’s statements appear to have deficiencies, one thing was apparent and that is the lack of consistency in its messaging. Further, the CRA failed to explain why its communication lacked consistency.
While we are aware of the character limitation on Twitter there are other methods to providing more detailed information. For example, if it were to have posted its LinkedIn statement on Canada.ca it could have avoided this limitation, while also providing consistent messaging from an accessible and reliable source. However, the CRA provided
inconsistent statements that were confusing to the reader. A consistent statement provided through all its communication methods would have helped the CRA restore its trust with Canadians and ultimately would have been helpful to many.
Accurate and timely
No communication for up to six days and five hours is not timely or acceptable. The Canadian Chamber of Commerce provides a Crisis Communications Planning Guide available for information purposes. In it there are Principles of Effective Crisis Communications highlighting that there is “always something you can say,” and that “All other communications should be paused.” While the CRA stopped all other communications until it addressed this email situation, it took the CRA one day and five hours to respond to those who received an email, and up to six days and five hours for those who tried to log in and were locked out of their account.
We commend the CRA on being proactive by identifying potentially compromised credentials and safeguarding sensitive
information against constantly evolving threats. However, due to the notification email, the CRA had to be reactive rather
than being strategically prepared to communicate how it safeguards sensitive information. While it communicated important information to the media it did not effectively communicate with Canadians directly.
Therefore, the CRA must start improving its communication by making public the information it provides to the media. This would have helped make the information it provided more timely. If it is important enough to provide to the media it is important enough to provide to all Canadians on Canada.ca.
Figure - text version
The Taxpayers’ Ombudsperson recommends the CRA make the information it provides to Canadian media outlets available to Canadians at the same time, for example, through Canada.ca.
In addition, the CRA failed to take ownership of the issue and did not disclose the reason Canadians received the emails. While we recognize that errors happen, there is no reason to not be up front with Canadians.
Further, and more concerning, is that 24 days later, when the CRA finally provided a statement on Canada.ca, it was inaccurate. Specifically, it was entitled “Accounts Locked on February 16”; however, the accounts were actually locked on February 11.
The CRA must be more mindful of right number six in the Taxpayer Bill of Rights, which tells Canadians they have the right to complete, accurate, clear, and timely information from the CRA. Doing so will help the CRA communicate more effectively.
Findings and Observations - The Communication Approach
By the CRA failing to follow a sufficient crisis communication strategy, its approach created some unique issues, many of which further exasperated the problem.
Specifically, the CRA:
- provided a statement on LinkedIn which was not easily accessible to some
- lacked updated directives on what to do in a crisis
- did not have a progressive communication approach
- failed to make decisions empathetically
- did not conduct a post-mortem to identify its communication missteps
As stated earlier, for the CRA to make its statement on the lockout most accessible, it should have made it available on
Canada.ca. However, the CRA opted to make it only available on social media until March 12, 2021. This lead to two additional issues:
- When Canadians wanted to find out more information and went to the CRA’s Tweet they were re-directed to the CRA’s LinkedIn page. However, LinkedIn prevented some users from accessing their site without first logging in. This is something many users would likely opt not to do, especially after learning their credentials may have been compromised. We made the CRA aware of this issue and it stood by its decision to do this. It indicated that in the original testing, it found that once users were “redirected to the Canada Revenue Agency’s LinkedIn main page, users would have been able to see the then-pinned post highlighting the lockout update.” However, even to this day we are unable to access the CRA’s LinkedIn page from its Tweet. While we can navigate to the CRA’s LinkedIn page independently we are always prompted for credentials after clicking the hyperlink in the Tweet.
- Francophone Canadians who were fortunate enough to gain access to the CRA’s LinkedIn page would soon not have had easy access to the CRA’s Update. This is because LinkedIn rules only allow one Update to be at the top and the CRA chose the English update. This allowed the English post to be highlighted at the top, but left the French post buried after additional posts were made a day later. These unique issues could have been prevented, and Canadians could have been provided the information they needed by linking to additional information on Canada.ca. When more information is required from a social media post the CRA should drive Canadians to more information on Canada.ca 100 percent of the time.
Procedures and directives
The CRA has updated its Issues Management Directive following the lockout. This directive provides guidance on how “[t]o anticipate, identify, assess, mitigate, respond to, and communicate effectively regarding internal and external issues that could affect the CRA’s operations, ability to fulfill its mandate or undermine the trust and confidence of Canadians in the CRA.”
However, the CRA lacks a communication crisis plan that details the specific actions the CRA must take to address the crisis. While its Issues Management Directive is good at identifying broad steps to follow, it lacks the precision that is usually specified in a communication plan.
Figure - text version
The Taxpayers’ Ombudsperson recommends the CRA ensure that it has an issue management plan that is adaptable so it can efficiently communicate with Canadians when there is an emerging issue.
One thing that became evident in our examination was the CRA’s reactive approach to the account lockout issue in its actions and communications. Even the CRA told our Office that it was reactive, not proactive. However, the CRA should do its best not to get caught off-guard and ensure that it involves subject matter experts at times when many Canadians could be affected. By consulting with communication subject matter experts the CRA could have been prepared should adverse impacts have been flagged. This was not the case during the lockout. Even in the days leading up to the lockout
and even though it was analyzing credentials that were potentially compromised, the CRA was not preparing a communication plan.
During this time, and likely for weeks before, the CRA should have known what the review could uncover. Therefore, it should have known it needed a communication plan to ensure that it was prepared for the findings. However, what we heard from the CRA was that it did not do this and continued to have no communication plan until it changed how it
secured accounts on March 13, 2021. Again, we were surprised that such an immense project failed to have a communication plan.
Empathy in service at the CRA
The CRA indicates that “Empathy is the ability and willingness to put oneself in another’s shoes and connect with their
thoughts feelings and emotions, without judgment.” However, if the CRA’s employees would have put themselves in another’s shoes, and connect with their thoughts and emotions they would have known Canadians wanted reassurance and direction quickly and efficiently. The CRA’s communication approach failed to provide this.
Conduct a post-mortem
The first step to improving your response is to question what went wrong. It is always better to learn from your mistakes so they are not repeated. One of the best ways to do so is to conduct a post-mortem and identify what went wrong, what worked, and what can be improved. Therefore, we asked the CRA if it performed a post-mortem, and felt its response was incomplete.
The CRA informed us that errors were made, identified, and acknowledged, but it still did not conduct a specific or formal review. Then, when we requested the CRA identify the errors it made, it merely indicated that the responsible areas within the CRA should have been briefed ahead of time, allowing it to prepare proper contingency plans, such as a communications plan.
While we agree that advanced consultation before action is taken is advantageous, we find it concerning that was the CRA’s main takeaway from the lockout. If the CRA had done a post-mortem analysis, it could have enhanced its processes by learning from its mistakes, and therefore communicate more effectively with Canadians in the future.
There are many improvements the CRA made after the lockout, including the two outlined below:
Prior to March 13, 2021, the CRA did not allow access to a CRA Account if one credential was compromised. However, the CRA has since improved how it safeguards CRA accounts. As of March 13, 2021, it no longer locks accounts when it identifies credentials that are potentially compromised. In these cases it only revokes the affected credentials. In doing so, users can still access their CRA Account using another credential, through a Sign-In Partner, or provincial partner. Therefore, if one credential has been revoked, the user can still access their CRA Account another way.
To access the CRA Account that is linked to Social Insurance Number (SIN) 999 999 999 the user may have two different ways to log in, including:
Credential 1 with:
CRA User ID: dogsofcanada
Credential 2 with:
CRA User ID: catsofcanada
If only Credential 1 is identified as compromised the CRA will now only lock access to the CRA Account belonging to SIN 999 999 999 from Credential 1. However, the user can still gain access using Credential 2.
This experience is much more seamless for Canadians because they can now create new credentials without having to call the CRA contact centre, while also protecting the integrity of CRA accounts.
Since opening our examination, the CRA has been proactive on communicating with Canadians for any upcoming revocations; it included the media and provided contextual alerts on its webpages. This is a helpful approach in addition to now emailing specific instructions to Canadians directly when a credential is revoked.
This examination has highlighted a reccurring issue at the CRA, where it communicates reactively rather than proactively.
The CRA admitted that it was reactive after the lockout, but it could have prevented this by being proactive and creating a sufficient plan, before it locked out 187,000 Canadians. This is not acceptable, Canadians deserve to be informed. Canadians shouldn’t need to call the CRA to find out more information, especially with all the recurring issues about access to contact centres. Further, social media forums, the media, representatives, and community organizations shouldn’t need to fill the gap when the CRA fails to adequately respond to an issue. The CRA needs to re-examine its communication efforts and proactively communicate with Canadians:
- when they need it
- through the channel they prefer to use including Canada.ca
Now more than ever society is empowered to tackle issues and communicate immediately. The CRA needs to catch up. The CRA must not wait until an issue hits a certain threshold to act. It should be prepared to take action when appropriate.
While we acknowledge not everything requires a formal statement, we do know that publicly available information is needed.
To address the issues raised in this report, the Taxpayers’ Ombudsperson makes the following recommendations to the Minister of National Revenue and the Chair of the Board of Management of the Canada Revenue Agency:
- The Taxpayers’ Ombudsperson recommends the CRA conduct a formal review of its processes to ensure it has a flexible plan that provides for a coordinated effort to proactively inform Canadians, in a timely manner, namely on Canada.ca, through social and traditional media, and email about issues that could affect them.
- The Taxpayers’ Ombudsperson recommends the CRA create an update schedule for its contextual alerts to ensure the information that it is still providing is helpful and up to date.
- The Taxpayers’ Ombudsperson recommends the CRA ensure that it always provides a link for more information to the Government of Canada’s web presence, such as Canada.ca, from its social media posts.
- The Taxpayers’ Ombudsperson recommends the CRA make the information it provides to Canadian media outlets available to Canadians at the same time, for example, through Canada.ca.
- The Taxpayers’ Ombudsperson recommends the CRA ensure that it has an issue management plan that is adaptable so it can efficiently communicate with Canadians when there is an emerging issue.
- Date modified: