CRA loses box of 'sensitive' taxpayer information in truck accident

The Canada Revenue Agency lost a bin containing Canadians' tax information after the truck hired to transport the documents was involved in a highway accident earlier this year.

The incident was just one of almost 150 privacy breaches reported to the Office of the Privacy Commissioner in the first six months of 2019, according to an access to information release.

The tax agency had hired Purolator to transport eight bins of what's known as "protected B," or sensitive material, to an off-site storage facility back in February, according to a copy of the breach report.

The truck crashed on a highway north of Toronto before it could get to the facility.

One of those eight bins, containing 18 taxpayer and business-related records, remains missing.

Dany Morin, a spokesperson for the CRA, said the agency worked with Purolator and the Ontario Provincial Police for several months but never found the missing bin.

"This is the first time a secure bin has gone missing through a courier service," he said in an email to CBC.

Morin said protected B information "is considered sensitive information."

"If compromised, there is a potential for injury to an individual or organization such as a taxpayer, a benefit recipient or a business," said Morin.

"Protected B documents can contain information such as Social Insurance Numbers and notices of assessment."

The agency said it notified those affected by the breach and, while the information still isn't accounted for, it doesn't believe it's been used for fraudulent activity.

Dozens of passports lost

Cases of serious breaches — sometimes referred to as "material breaches" — have to be reported soon after they occur to Canada's privacy commissioner and to the Treasury Board of Canada Secretariat.

This isn't the first time the CRA has had to report breaches to both departments this year.

In two separate breaches, Canada Revenue Agency employees accessed dozens of taxpayers' accounts without permission.

In one of those cases, a CRA employee accessed the accounts of 29 taxpayers and businesses — including the employee's own account — and disclosed the tax credit information of two taxpayers to their spouses, who were not entitled to the information.

According to the breach report on that CRA case, the agency decided not to alert police but did reach out to the affected individuals.

The bulk of breaches reported to the privacy commissioner's office between January and June of this year concerned missing passports. Dozens of passports were lost in the mail, according to the access to information documents.

The Royal Canadian Mint also had to alert the privacy commissioner after it fell for what's known as a "spear-phishing" scam and almost forwarded a former employee's paycheque to fraudsters.