How safe is your data with the taxman?

Security at the Canada Revenue Agency certainly isn't perfect.

Last year, someone — allegedly a 19-year-old student at the University of Western Ontario — hacked into its servers by using the much-publicized Heartbleed security flaw and made off with the social insurance numbers of more than 900 taxpayers.

A few months later, the taxman accidentally sent CBC News confidential details about prominent Canadians, including former prime minister Jean Chrétien and author Margaret Atwood, such as their home addresses and the value of certain tax credits they were granted.

And in 2013 a report from the federal privacy commissioner warned of "marked weaknesses" in CRA's privacy and security habits, finding, among other things, that thousands of taxpayers' files had been inappropriately accessed by employees for reasons including "personal gain, preferential treatment and fraud."

All of which raises the question, how secure is the CRA? How concerned should Canadians be that their financial data might end up somewhere else entirely, used for who-knows-what nefarious purposes?

The CRA is understandably reluctant to spell out how, exactly, it protects that data. You might as well ask your bank for details about its safe.

But according to one security expert, the short answer is: don't worry. Your tax information simply isn't that interesting, useful or valuable.

Not worth it

Tax agencies, in general, are "hard to break into and not all that rich in data," said Allan Paller, director of research at the SANS Institute, a U.S. cybersecurity firm.

'There are better sources [of data] that are less effectively protected.'- Allan Paller, cybersecurity expert

"They've got your employer, and they know your income, but they don't have passwords. They don't have the other things you need to take over accounts," Paller said.

"There are better sources [of data] that are less effectively protected."

These include retailers and credit rating agencies, for example.

Home Depot said the hacker attack that hit its servers in 2014 may have affected as many as 56 million credit and debit cards in Canada and the U.S., information of much more immediate use to the average cybercriminal.

The big three credit rating agencies in the U.S. — Equifax, TransUnion and Experian — were also the victims of successful hack attacks in 2013 and 2014.

Tax returns shown in storage at the CRA. One of the more common privacy breaches is employees accessing taxpayer information for personal gain. (CRA)

It's true that a stolen SIN can be used for identity theft. But thieves, say experts, are more likely to go the easier route of stealing credit card or other banking information.

Making illicit use of a SIN represents "a lot more effort and risk," said David Jao of the Cheriton School of Computer Science at the University of Waterloo, though it's also true the victim will have a harder time recovering from a stolen social insurance number than from a skimmed credit or debit card.

Banks and credit card companies "have the luxury … of just giving the money back" once fraud has been exposed, Jao said. "But if someone's identifying information is stolen, you cannot make them whole again."

All IT systems vulnerable

Revenue Canada, as the CRA is still commonly called, lost its grip on some 900 SINs because of Heartbleed. But by completely shutting down its online services until the crisis was over and giving Canadians a few extra days to e-file their returns, the agency dealt with the problem well, says Ian McKillop, an associate professor of management and systems, also of the University of Waterloo.

And that, he says, is arguably more important.

As important as the security breach itself is how an agency handles it, say experts. The CRA shut down its website in the wake of the Heartbleed attack and extended last year's filing deadline. (Evan Mitsui/CBC)

Because there's probably no such thing as perfect security, McKillop says it's often more helpful to judge an organization by how well it responds to security problems rather than by the problem itself.

"All information systems, whether they be at the CRA or someplace else, involve humans, and we bring our own frailties to the mix," he said.

What we can, and should do, according to McKillop, is make systems as secure as possible and have plans in place to deal with the inevitable break-ins.

On that point, regarding Heartbleed, he gives CRA high marks. The taxman's response — although criticized at the time as being too slow — was "brave" and appropriate, he said.

But hackers are just one, relatively small, part of the problem. The bigger and trickier question is how to deal with employees inside an organization that misuse their access to sensitive information.

The employees who were caught snooping at CRA were disciplined according to the agency and the privacy commissioner's report. Some got a warning; others were fired.

As to whether the agency has improved its overall security habits — the privacy commissioner is expected to revisit that question with a follow-up on its 2013 audit later this year.