The Lockout: Communication Was the Key

An examination into the Canada Revenue Agency (CRA)'s lack in communication when it locked out 187,000 Canadians from their CRA account in February 2021.

Specifically, months earlier, in the summer of 2020, “credential stuffing” attacks perpetrated some CRA Accounts and GCKey service. GCKey service is used to access multiple government online accounts. These cyber attacks were acknowledged by the Government of Canada’s Chief Information Officer and lead the CRA to take further steps to secure its accounts to prevent fraud from being perpetrated by bad actors. This was especially important at the time because applications for many COVID-19 benefits were still open.

In addition, during this period, and in the months that followed, the CRA was receiving significant media attention because some COVID-19 benefit recipients were being told there might be issues establishing their eligibility for the payments they received, and that they might need to repay some of these amounts if their eligibility could not be confirmed.

While we acknowledge the CRA had multiple competing priorities at the time, its lack in communication after it unintentionally emailed 119,200 Canadians lead to many becoming aware that they were locked out of their CRA Account while at the same time were not immediately informed as to why.

While secrecy may be a tool in cybersecurity, the CRA identified that there were shortcomings in its coordination and communication efforts because it needed to deploy new security measures quickly.

This report lays out the importance of timely communication even at times when there are competing priorities. Complete, accurate, clear, and timely information is what Canadians expect of the CRA, especially in times of crisis. The CRA should take all necessary steps to ensure this does not happen again. While the CRA quickly improved its process for securing accounts to be less disruptive and more informative, the recommendations in this report will help the CRA deliver information to Canadians for all situations, in a timely manner.

We review unresolved service issues linked to eight of the service rights outlined in the Taxpayer Bill of Rights. To view the eight rights we uphold, go to Canada.ca/oto-your-rights.

We can also facilitate contact from the CRA when a situation is compelling. Further, if a service issue affects more than one person or a segment of a population, we can review it to determine if there is an underlying issue so we can provide recommendations to resolve it.

In addition, we reach out to organizations, listen to Canadians, and carry out research to give a voice to vulnerable populations who may not otherwise be heard. This gives us a better understanding of Canadians’ impressions of the CRA and helps us focus our research on issues needing review.

We saw the unsolicited email caused many Canadians to be concerned, and we understood why: Canadians did not request the removal of their email address. In addition, the email they received from the CRA failed to provide any meaningful information. When verifying their CRA account to validate the information found in the email, an error message was provided indicating their account was locked and to call the CRA.

At this time, the CRA had not communicated to anyone, including the affected users, that it locked CRA accounts. However, given all the confusion and media coverage on this topic it was clear the CRA needed to make a public statement. Doing so would have built trust with Canadians and helped the CRA fulfil its vision to be trusted, fair, and helpful by putting people first.

Many Canadians who were locked out of their CRA account followed the CRA’s instructions and called its contact centre, hoping to connect with an agent and regain access. This lead to an additional issue, as those who called the CRA became dissatisfied by their CRA contact centre service experience. While many were initially concerned about being locked out of their CRA account, they became frustrated when they were unable to reach an agent at the CRA to try and resolve the matter. Further, their frustration continued because even though the CRA’s contact centre was at capacity, the CRA still encouraged people to call when replying to them through its social media.

Consequently the CRA’s contact centre rejected many of these calls because its queues were full. However, even the callers who managed to get into the queue were dissatisfied, because for weeks they were forced to endure long wait times; callers reported getting prematurely disconnected and some who spoke with an agent, just got transferred to another queue to face even longer wait times.

For the Canadians who managed to get through in the first couple of days and regain access, they were still provided with little information as to why their email address was removed.

It wasn’t any easier for those who chose not to call to get clarity on why they received the email. This was because, for many hours, the CRA remained silent. On February 16, and for most of February 17, 2021, Canadians publicly expressed that they could not get the clarity they needed from the media, on Canada.ca, or from the CRA’s social media accounts on the reasons why they had received this email or why their access to their CRA account had been locked.

This lack of clear communication by the CRA is what lead us to opening this examination. Our goal was to examine the CRA’s communication efforts and identify any opportunities to improve its communication to Canadians.

These credentials may have been compromised by unauthorized third parties, external to the CRA, who may have obtained them through a variety of methods, such as email phishing schemes or third-party data breaches.

The CRA’s review identified 187,000 CRA accounts that could be accessed by potentially compromised credentials. To
secure the affected CRA accounts, the CRA locked them on February 11, 2021. Then, on February 16, 2021, the CRA removed the email addresses from 119,200 of these accounts. This allowed taxpayers to get paper mail sent to them, in the meantime, while they did not have access to their account. Normally, when the CRA removes an email address from a CRA account it sends out an automatic email to the taxpayer. This email is usually suppressed when the CRA is locking the account without first consulting with the taxpayer. However, this time, the CRA failed to prevent this email from getting sent out. This resulted in the CRA unintentionally sending out an email to each of the 119,200 taxpayers who had
an email address on file with the CRA.

Within approximately an hour, the CRA realized it had sent the emails in error and soon began to hear from the media.

The CRA provided responses to the media, and late on February 17, 2021, it provided additional information through its social media accounts.

Then 24 days later, March 12, 2021, it issued a statement, entitled: “Accounts locked on February 16” on Canada.ca.

Then 56 days after that, May 7, 2021, the CRA sent a letter to the 67,800 taxpayers who did not have an email address
on file with the CRA informing them their credentials were revoked.

The CRA indicates that it has embarked on a transformation journey to strengthen its service offerings to meet client needs and expectations by putting people first. Further, it indicates it wants to be more client-centric and has developed a new philosophy placing Canadians at the centre of its decision making. Its goal is to provide Canadians with “access to easy-to-understand, high-quality and consistent information, and proactive and personalized support, regardless of the
channel they prefer to use to communicate with the CRA.” Yet, its communications efforts, after it locked out 187,000 Canadians from their CRA account, failed to:

1. put people first
2. be client-centric
3. provide consistent information regardless of the channel Canadians preferred to use

However, most importantly, the CRA did not recognize the impact its lack of action had on each affected individual and all other Canadians who put their trust in the CRA. Instead, they were left with a lack of proactive communication after it locked out thousands of Canadians from their accounts and unintentionally sent them an email in error.

After numerous communications with the CRA, we tried to get to the root of the problem. While the CRA acknowledged its communications efforts could have been better, it did not adequately acknowledge the impact its actions, or lack thereof, had on Canadians.

Even Canadians who did not receive an email from the CRA were impacted. We found that some were anxiously awaiting reassurance from the CRA that there was not a security breach. It took the CRA up to six days and five hours to inform Canadians that it locked their accounts and over one day and five hours to go public on social media and on Canada.ca after it realized it unintentionally sent the emails to 119,200 Canadians. This left many Canadians relying heavily on media
and others ultimately were left in the dark with no direct reassurance from the CRA.

One of the main issues of this examination was the fact that the CRA was not prepared to share information about the action it took. Although it did not communicate with Canadians in a timely manner after it locked out 187,000 Canadians and unintentionally emailed 119,200 of them, it should have been prepared to share information with Canadians as soon as it locked the accounts.

The CRA seemed to have a goal in mind: protect Canadians and perform an analysis of credentials that could be potentially compromised and misused by unauthorized third parties.

Having the CRA take action to safeguard accounts is commendable, and expected. With the increasing amount of data being stored online, Canadians and organizations need to be careful in securing online accounts to ensure that there is no unauthorized access to their accounts. Although the CRA knew the analysis would likely result in potentially compromised credentials and accounts being locked, it did not have a sufficient plan to immediately inform affected
Canadians of its action, and how to resolve it.

It is important to understand that even if the email sent in error had not been sent, those 187,000 accounts were already locked regardless. The CRA was not prepared to immediately inform the affected Canadians. This left many Canadians in the dark.

Recommendations in this systemic examination report are made to the Minister of National Revenue and the Chair of the Board of Management.

When examining this issue, we recognized it as a crisis for the CRA and the 187,000 Canadians impacted. Further, to effectively put people first at the CRA, it needed to look at this situation as a crisis, and not underestimate the situation or fail to recognize its seriousness.

To communicate effectively in a crisis, we must first understand how people process information during a crisis.

As part of our crisis research, we looked the Centers for Disease Control and Prevention’s Crisis and Emergency Risk
Communication (CERC), which “provides trainings, tools, and resources to help health communicators, emergency responders, and leaders of organizations communicate effectively during emergencies.” It also makes available a manual, Psychology of a Crisis, that describes the four ways people process information during a crisis.

They indicate people will:

1. simplify messages
2. hold on to current beliefs
3. look for additional information and opinions
4. believe the first message

From this, the CERC identifies four desirable traits that messages should have from the communicator.

Specifically, they should be:

1. simple
2. disseminated from a credible source
3. consistent
4. accurate and timely

These four traits effectively capture what was needed during the CRA Accounts lockout crisis. Below we will examine how each could have had an impact on the lockout. Putting people first should start with keeping Canadians informed.

When we look at the messages the CRA provided during this crisis, some were neither direct, nor concise.

For example, the CRA’s main statement that was provided to many media outlets did not emphasize that:

• There was no cyber attack at the CRA
• There was no urgent need for Canadians to unlock their account, unless they needed COVID-19 benefits

The statement read:

While the statements provided on LinkedIn and Facebook were simpler, its Facebook statement failed to inform Canadians there was no urgent need for them to unlock their account, unless they needed COVID-19 benefits. However, the CRA did do so on Facebook when it responded to taxpayers’ comments. It is clear the CRA overlooked the power of simple messaging in a crisis. This oversight likely lead to more questions from Canadians at a time when they needed clarity.

The CRA could have simply said:

This simplified messaging would have provided the necessary information to Canadians and emphasize that there was
no need to call. Further, it would have alleviated the additional issue the CRA caused to its Contact Centre at the start
of its 2021 tax season.

Unfortunately, all of this time was wasted because as early as February 23, 2021, the CRA was actively pursuing an alternative solution for taxpayers to regain access to their CRA Account, without the need to contact the CRA. Further, by March 1, 2021, the CRA was confident in this new approach, yet it failed to update its contextual alerts on its online services webpages to communicate this to Canadians. Rather, Canadians were presented with the same message on Canada.ca from February 17, 2021, until March 12, 2021.

The CRA should have made Canadians aware that it was actively pursuing an alternative approach to help them regain
access to their CRA Account. By doing so, it would have lessened the burden it caused to its Contact Centres, as well as the frustration and anxiety experienced by many Canadians.

After this incident occurred, what we found to be of concern to Canadians as well as our Office, was the lack of information available on Canada.ca and the CRA’s reliance on social media to provide the full picture.

The Government of Canada’s website, Canada.ca, has built a reputation as being a credible source for all Government of
Canada communications and information (including its departments and agencies).

Due to the limited character count on certain social media platforms, any information posted on social media should
link to a Canada.ca webpage with more information. This is not just our view, but is also that of the Treasury Board of Canada Secretariat, which governs the mandatory guidelines for Government of Canada social media and web communications.

However, after the CRA emailed taxpayers it did not provide a link from its social media posts to Canada.ca, rather it provided a link to its LinkedIn page which was not easily accessible.

The CRA needed to communicate to all Canadians, as even non-impacted Canadians were questioning the CRA’s infrastructure and what was happening at the CRA.

Therefore, the CRA should have been prepared to reassure Canadians as soon as it realized what had happened.

The CRA has told our Office that if it were to publish a statement on Canada.ca, it would not have been direct enough. We respectfully disagree. A statement on Canada.ca is direct and comes from the foremost source. While posting a statement on Canada.ca may not reach each affected CRA account user directly, the CRA could have also emailed and mailed the same statement to the affected Canadians. Yet, the CRA indicates it could only email the statement if it added the emails back into its system and it chose not to. The CRA’s responses to the questions we asked during our examination demonstrated that the CRA created barriers to communicating with those affected. There may never be one perfect solution, but the CRA’s solution in this instance was insufficient.

While communication is key, consistency in the messaging is equally important. Consistency helps to build trust and
confidence in the messaging. However, for this crisis, the CRA was not consistent. Neither to its Contact Centre agents, the media, on Canada.ca, nor through its posts at the time on its social media accounts: Facebook, LinkedIn, and Twitter. While each of the CRA’s statements appear to have deficiencies, one thing was apparent and that is the lack of consistency in its messaging. Further, the CRA failed to explain why its communication lacked consistency.

While we are aware of the character limitation on Twitter there are other methods to providing more detailed information. For example, if it were to have posted its LinkedIn statement on Canada.ca it could have avoided this limitation, while also providing consistent messaging from an accessible and reliable source. However, the CRA provided
inconsistent statements that were confusing to the reader. A consistent statement provided through all its communication methods would have helped the CRA restore its trust with Canadians and ultimately would have been helpful to many.

No communication for up to six days and five hours is not timely or acceptable. The Canadian Chamber of Commerce provides a Crisis Communications Planning Guide available for information purposes. In it there are Principles of Effective Crisis Communications highlighting that there is “always something you can say,” and that “All other communications should be paused.” While the CRA stopped all other communications until it addressed this email situation, it took the CRA one day and five hours to respond to those who received an email, and up to six days and five hours for those who tried to log in and were locked out of their account.

We commend the CRA on being proactive by identifying potentially compromised credentials and safeguarding sensitive
information against constantly evolving threats. However, due to the notification email, the CRA had to be reactive rather
than being strategically prepared to communicate how it safeguards sensitive information. While it communicated important information to the media it did not effectively communicate with Canadians directly.

Therefore, the CRA must start improving its communication by making public the information it provides to the media. This would have helped make the information it provided more timely. If it is important enough to provide to the media it is important enough to provide to all Canadians on Canada.ca.

In addition, the CRA failed to take ownership of the issue and did not disclose the reason Canadians received the emails. While we recognize that errors happen, there is no reason to not be up front with Canadians.

Further, and more concerning, is that 24 days later, when the CRA finally provided a statement on Canada.ca, it was inaccurate. Specifically, it was entitled “Accounts Locked on February 16”; however, the accounts were actually locked on February 11.

The CRA must be more mindful of right number six in the Taxpayer Bill of Rights, which tells Canadians they have the right to complete, accurate, clear, and timely information from the CRA. Doing so will help the CRA communicate more effectively.

Specifically, the CRA:

• provided a statement on LinkedIn which was not easily accessible to some
• lacked updated directives on what to do in a crisis
• did not have a progressive communication approach
• failed to make decisions empathetically
• did not conduct a post-mortem to identify its communication missteps

As stated earlier, for the CRA to make its statement on the lockout most accessible, it should have made it available on
Canada.ca. However, the CRA opted to make it only available on social media until March 12, 2021. This lead to two additional issues:

1. When Canadians wanted to find out more information and went to the CRA’s Tweet they were re-directed to the CRA’s LinkedIn page. However, LinkedIn prevented some users from accessing their site without first logging in. This is something many users would likely opt not to do, especially after learning their credentials may have been compromised. We made the CRA aware of this issue and it stood by its decision to do this. It indicated that in the original testing, it found that once users were “redirected to the Canada Revenue Agency’s LinkedIn main page, users would have been able to see the then-pinned post highlighting the lockout update.” However, even to this day we are unable to access the CRA’s LinkedIn page from its Tweet. While we can navigate to the CRA’s LinkedIn page independently we are always prompted for credentials after clicking the hyperlink in the Tweet.
2. Francophone Canadians who were fortunate enough to gain access to the CRA’s LinkedIn page would soon not have had easy access to the CRA’s Update. This is because LinkedIn rules only allow one Update to be at the top and the CRA chose the English update. This allowed the English post to be highlighted at the top, but left the French post buried after additional posts were made a day later. These unique issues could have been prevented, and Canadians could have been provided the information they needed by linking to additional information on Canada.ca. When more information is required from a social media post the CRA should drive Canadians to more information on Canada.ca 100 percent of the time.

The CRA has updated its Issues Management Directive following the lockout. This directive provides guidance on how “[t]o anticipate, identify, assess, mitigate, respond to, and communicate effectively regarding internal and external issues that could affect the CRA’s operations, ability to fulfill its mandate or undermine the trust and confidence of Canadians in the CRA.”

However, the CRA lacks a communication crisis plan that details the specific actions the CRA must take to address the crisis. While its Issues Management Directive is good at identifying broad steps to follow, it lacks the precision that is usually specified in a communication plan.

One thing that became evident in our examination was the CRA’s reactive approach to the account lockout issue in its actions and communications. Even the CRA told our Office that it was reactive, not proactive. However, the CRA should do its best not to get caught off-guard and ensure that it involves subject matter experts at times when many Canadians could be affected. By consulting with communication subject matter experts the CRA could have been prepared should adverse impacts have been flagged. This was not the case during the lockout. Even in the days leading up to the lockout
and even though it was analyzing credentials that were potentially compromised, the CRA was not preparing a communication plan.

During this time, and likely for weeks before, the CRA should have known what the review could uncover. Therefore, it should have known it needed a communication plan to ensure that it was prepared for the findings. However, what we heard from the CRA was that it did not do this and continued to have no communication plan until it changed how it
secured accounts on March 13, 2021. Again, we were surprised that such an immense project failed to have a communication plan.

The CRA indicates that “Empathy is the ability and willingness to put oneself in another’s shoes and connect with their
thoughts feelings and emotions, without judgment.” However, if the CRA’s employees would have put themselves in another’s shoes, and connect with their thoughts and emotions they would have known Canadians wanted reassurance and direction quickly and efficiently. The CRA’s communication approach failed to provide this.

The first step to improving your response is to question what went wrong. It is always better to learn from your mistakes so they are not repeated. One of the best ways to do so is to conduct a post-mortem and identify what went wrong, what worked, and what can be improved. Therefore, we asked the CRA if it performed a post-mortem, and felt its response was incomplete.

The CRA informed us that errors were made, identified, and acknowledged, but it still did not conduct a specific or formal review. Then, when we requested the CRA identify the errors it made, it merely indicated that the responsible areas within the CRA should have been briefed ahead of time, allowing it to prepare proper contingency plans, such as a communications plan.

While we agree that advanced consultation before action is taken is advantageous, we find it concerning that was the CRA’s main takeaway from the lockout. If the CRA had done a post-mortem analysis, it could have enhanced its processes by learning from its mistakes, and therefore communicate more effectively with Canadians in the future.

Prior to March 13, 2021, the CRA did not allow access to a CRA Account if one credential was compromised. However, the CRA has since improved how it safeguards CRA accounts. As of March 13, 2021, it no longer locks accounts when it identifies credentials that are potentially compromised. In these cases it only revokes the affected credentials. In doing so, users can still access their CRA Account using another credential, through a Sign-In Partner, or provincial partner. Therefore, if one credential has been revoked, the user can still access their CRA Account another way.

This experience is much more seamless for Canadians because they can now create new credentials without having to call the CRA contact centre, while also protecting the integrity of CRA accounts.

Since opening our examination, the CRA has been proactive on communicating with Canadians for any upcoming revocations; it included the media and provided contextual alerts on its webpages. This is a helpful approach in addition to now emailing specific instructions to Canadians directly when a credential is revoked.

The CRA admitted that it was reactive after the lockout, but it could have prevented this by being proactive and creating a sufficient plan, before it locked out 187,000 Canadians. This is not acceptable, Canadians deserve to be informed. Canadians shouldn’t need to call the CRA to find out more information, especially with all the recurring issues about access to contact centres. Further, social media forums, the media, representatives, and community organizations shouldn’t need to fill the gap when the CRA fails to adequately respond to an issue. The CRA needs to re-examine its communication efforts and proactively communicate with Canadians:

• when they need it
• through the channel they prefer to use including Canada.ca

Now more than ever society is empowered to tackle issues and communicate immediately. The CRA needs to catch up. The CRA must not wait until an issue hits a certain threshold to act. It should be prepared to take action when appropriate.

While we acknowledge not everything requires a formal statement, we do know that publicly available information is needed.

1. The Taxpayers’ Ombudsperson recommends the CRA conduct a formal review of its processes to ensure it has a flexible plan that provides for a coordinated effort to proactively inform Canadians, in a timely manner, namely on Canada.ca, through social and traditional media, and email about issues that could affect them.
2. The Taxpayers’ Ombudsperson recommends the CRA create an update schedule for its contextual alerts to ensure the information that it is still providing is helpful and up to date.
3. The Taxpayers’ Ombudsperson recommends the CRA ensure that it always provides a link for more information to the Government of Canada’s web presence, such as Canada.ca, from its social media posts.
4. The Taxpayers’ Ombudsperson recommends the CRA make the information it provides to Canadian media outlets available to Canadians at the same time, for example, through Canada.ca.
5. The Taxpayers’ Ombudsperson recommends the CRA ensure that it has an issue management plan that is adaptable so it can efficiently communicate with Canadians when there is an emerging issue.