More than a month after the Canada Revenue Agency took its website offline in the wake of a major cyberattack, the federal tax collection agency won’t say when it expects its online services to fully return to normal.
A number of services within the CRA’s online portal for individual Canadians remain unavailable, including the ability to manage direct deposit information, change an address or authorize a representative.
Links with Service Canada accounts have also been deactivated.
The CRA is “working diligently to restore access to all services as quickly as possible,” spokeswoman Sylvie Branch wrote in an email.
But the CRA won’t say when it expects that to be, only that a “forensic analysis related to the recent cyber incidents continues.”
The CRA has found suspicious activity on around 48,000 accounts after the two “credential stuffing” attacks in June and August, which took advantage of the fact that many people use the same log-in credentials for multiple services, the Treasury Board of Canada said earlier this month.
Jose Manuel Fernandez, a professor at Montreal’s Polytechnique university who teaches about computer security, said it can take time to investigate cyberattacks and fix vulnerabilities.
“These systems are very complex,” he said. “The industry as a whole has a terrible track record of building software that is reliable and free from bugs that can be exploited.”
He said it’s common for organizations to limit access to certain services while they’re investigating, comparing it to the yellow police tape around a crime scene.
An organization like the CRA may also limit users’ ability to make certain changes to reduce the risk of stolen information being used for fraud.
The CRA said the COVID-19 pandemic is not slowing its response.
“The fact that many CRA employees are working from home is not affecting the CRA’s ability to return its online services to full functionality,” Branch said.