Tax time 2015: How safe is your data with the CRA?

Security at the Canada Revenue Agency certainly isn't perfect.

Last year, someone allegedly a 19-year-old student at the University of Western Ontario hacked into its servers by using the much-publicized Heartbleed security flaw and made off with the social insurance numbers of more than 900 taxpayers.

A few months later, the taxman accidentally sent CBC News confidential details about prominent Canadians, including former prime minister Jean Chrtien and author Margaret Atwood, such as their home addresses and the value of certain tax credits they were granted.

• 5 security lapses at theCRA
• Lax security at CRA leads to privacy breaches
• Prominent Canadians' tax details leaked

And in 2013 a report from the federal privacy commissioner warned of "marked weaknesses" in CRA's privacy and security habits, finding, among other things, that thousands of taxpayers' files had been inappropriately accessed by employees for reasons including "personal gain, preferential treatment and fraud."

All of which raises the question, how secure is the CRA? How concerned should Canadians be that their financial data might end up somewhere else entirely, used for who-knows-what nefarious purposes?

• What's new this tax year?
• 8 things to know about the family tax cut

The CRA is understandably reluctant to spell out how, exactly, it protects that data. You might as well ask your bank for details about its safe.

But according to one security expert, the short answer is: don't worry. Your tax information simply isn't that interesting, useful or valuable.

Not worth it

Tax agencies, in general, are "hard to break into and not all that rich in data," said Allan Paller, director of research at the SANS Institute, a U.S. cybersecurity firm.

There are better sources [of data] that are less effectively protected.- AllanPaller, cybersecurity expert

"They've got your employer, and they know your income, but they don't have passwords. They don't have the other things you need to take over accounts," Paller said.

"There are better sources [of data] that are less effectively protected."

These includeretailers and credit rating agencies, for example.

Home Depot said the hacker attack that hit its servers in 2014 may have affected as many as 56 million credit and debit cards in Canada and the U.S., information of much more immediate use to the average cybercriminal.

• What to do if your credit, debit cards are compromised
• Home Depot admits 56 million cards breached
• 10 ways of getting in trouble with the CRA

The big three credit rating agencies in the U.S. Equifax, TransUnion and Experian were also the victims of successful hack attacks in 2013 and 2014.

It's true that a stolen SIN can be used for identity theft. But thieves, say experts, are more likely to go the easier route of stealing credit card or other banking information.

Making illicit use of a SIN represents "a lot more effort and risk," said David Jao of the Cheriton School of Computer Science at the University of Waterloo, though it's also true the victim will have a harder time recovering from a stolen social insurance number than from a skimmed credit or debit card.

Banks and credit card companies "have the luxury of just giving the money back" once fraud has been exposed, Jao said. "But if someone's identifying information is stolen, you cannot make them whole again."

All IT systems vulnerable

Revenue Canada, as theCRAis still commonly called, lost its grip on some 900 SINs because of Heartbleed. But by completely shutting down its online services until the crisis was overand giving Canadians a few extra days to e-file their returns, the agency dealt with the problem well, says Ian McKillop, an associate professor of management and systems, also of the University of Waterloo.

And that, he says, is arguably more important.

Because there's probably no such thing as perfect security, McKillop says it's often more helpful to judge an organization by how well it responds to security problemsrather than by the problem itself.

"All information systems, whether they be at the CRA or someplace else, involve humans, and we bring our own frailties to the mix," he said.

What we can, and should do, according to McKillop, is make systems as secure as possible and have plans in place to deal with the inevitable break-ins.

On that point, regarding Heartbleed, he gives CRA high marks. The taxman's response although criticized at the timeas being too slow was "brave" and appropriate, he said.

• Heartbleed bug delay begs explanation from CRA
• Heartbleed bug shows governments slow to react
• Why tax cheats in Canada are rarely jailed

But hackers are just one, relatively small, part of the problem. The bigger and trickier question is how to deal with employees inside an organizationthat misuse their access to sensitive information.

The employees who were caught snooping at CRA were disciplinedaccording to the agency and the privacy commissioner's report. Some got a warning;others were fired.

As to whether the agency has improved its overall security habits the privacy commissioner is expected to revisit that question with a follow-up on its 2013 audit later this year.