Canada Revenue Agency - Agence du revenu du Canada Company Cyber Security Posture
canada.caWelcome to the Canada Revenue Agency’s (CRA) official LinkedIn page! 🇨🇦 We take pride in our diverse workforce, which brings a wide range of skills and perspectives to the Canada Revenue Agency, and remain committed to fostering an inclusive workplace where everyone can thrive. We’re on a mission to better serve Canadians, with the goal to be trusted, fair, and helpful by putting people first. Our dedication has earned us recognition as one of Canada's Top Employers for Young People. Follow us for more on job opportunities, important information about benefits, credits, and all things taxes. Terms and Conditions: http://ow.ly/XpI030iPAP9 Bienvenue sur la page LinkedIn officielle de l’Agence! 🇨🇦 Nous sommes fiers d’avoir un effectif diversifié possédant un vaste éventail de compétences et apportant différentes perspectives à l’Agence du revenu du Canada. Nous demeurons déterminés à favoriser un environnement de travail inclusif où tout le monde peut s’épanouir. Nous avons pour mission de mieux servir les Canadiens et Canadiennes, dans le but d’être dignes de confiance, justes et au service des gens avant tout. Grâce à notre dévouement, nous avons été reconnus comme l’un des meilleurs employeurs au Canada pour les jeunes. Suivez-nous pour en savoir plus sur les possibilités d’emploi, les renseignements importants sur les prestations, les crédits et tout ce qui concerne les impôts. Termes et conditions : https://www.canada.ca/fr/agence-revenu/organisation/soyez-branche/interagir-medias-sociaux.html
CRA-ADRDC Company Details
cra-arc
17390 employees
548833.0
922
Government Administration
canada.ca
Scan still pending
CAN_5096552
In-progress
CRA-ADRDC Risk Score (AI oriented)Between 900 and 1000
This score is AI-generated and less favored by cyber insurers, who prefer the TPRM score.
CRA-ADRDC Global Score.png)
Canada Revenue Agency - Agence du revenu du Canada Company Scoring based on AI Models
| Model Name | Date | Description | Current Score Difference | Score |
|---|---|---|---|---|
| AVERAGE-Industry | 03-12-2025 | This score represents the average cybersecurity rating of companies already scanned within the same industry. It provides a benchmark to compare an individual company's security posture against its industry peers. | N/A | Between 900 and 1000 |
Canada Revenue Agency - Agence du revenu du Canada Company Cyber Security News & History
| Entity | Type | Severity | Impact | Seen | Url ID | Details | View |
|---|---|---|---|---|---|---|---|
| Government of Canada | Cyber Attack | 100 | 6 | 06/2015 | GOV192330422 | Link | |
Rankiteo Explanation : Attack threatening the economy of a geographical regionDescription: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians. | |||||||
| Canada Revenue Agency - Agence du revenu du Canada | Breach | 85 | 4 | 06/2018 | CAN17246822 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Canada Revenue Agency logs 2,338 privacy breaches in just under 2 years. The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months. But only a handful affected a large number of Canadians. | |||||||
| Public Services and Procurement Canada | Cyber Attack | 85 | 4 | 08/2022 | PUB2215251022 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: A device was stolen from Public Services and Procurement Canada. PSPC is Infrastructure Canada’s service provider for pay, pension and benefits. All 227 employees affected are at Infrastructure Canada. The device in question was stolen on Aug 20 and affected employees were informed on Sept 7. No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address and salary range have been compromised. Ottawa police have been made aware of the incident. | |||||||
| Public Services and Procurement Canada | Breach | 60 | 3 | 09/2018 | PUB110311022 | Link | |
Rankiteo Explanation : Attack with significant impact with internal employee data leaksDescription: A significant data breach happened in the federal government after a device was stolen from Public Services and Procurement Canada. PSPC is Infrastructure Canada’s service provider for pay, pension and benefits. All 227 employees were affected are at Infrastructure Canada No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address and salary range may have been compromised. | |||||||
| Government of Canada | Data Leak | 60 | 3 | 08/2018 | GOV12181122 | Link | |
Rankiteo Explanation : Attack with significant impact with internal employee data leaksDescription: The governments of Canada was exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system by misconfiguring pages on Trello, a project management website. 25 Canadian government trello boards had sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform. The government of Canada said, Departments and agencies of the Government of Canada must apply adequate security controls to protect their users, information, and assets. Employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service. | |||||||
| Canada Border Services Agency | Agence des services frontaliers du Canada | Breach | 80 | 4 | 10/2022 | CAN206221122 | Link | |
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information. The investigation found that the contract lacked clauses with respect to security safeguards, including for the protection and retention of personal information. Bad actors were able to break into the third-party contractors’ systems through an unpatched and decommissioned server, where they were able to access, copy, and remove files from the network, before posting some of the data on the dark web. The breach exposed around 9,000 licence plate photos of travellers crossing into Canada from the border crossing in Cornwall, Ontario. | |||||||
Canada Revenue Agency - Agence du revenu du Canada Company Subsidiaries
Welcome to the Canada Revenue Agency’s (CRA) official LinkedIn page! 🇨🇦 We take pride in our diverse workforce, which brings a wide range of skills and perspectives to the Canada Revenue Agency, and remain committed to fostering an inclusive workplace where everyone can thrive. We’re on a mission to better serve Canadians, with the goal to be trusted, fair, and helpful by putting people first. Our dedication has earned us recognition as one of Canada's Top Employers for Young People. Follow us for more on job opportunities, important information about benefits, credits, and all things taxes. Terms and Conditions: http://ow.ly/XpI030iPAP9 Bienvenue sur la page LinkedIn officielle de l’Agence! 🇨🇦 Nous sommes fiers d’avoir un effectif diversifié possédant un vaste éventail de compétences et apportant différentes perspectives à l’Agence du revenu du Canada. Nous demeurons déterminés à favoriser un environnement de travail inclusif où tout le monde peut s’épanouir. Nous avons pour mission de mieux servir les Canadiens et Canadiennes, dans le but d’être dignes de confiance, justes et au service des gens avant tout. Grâce à notre dévouement, nous avons été reconnus comme l’un des meilleurs employeurs au Canada pour les jeunes. Suivez-nous pour en savoir plus sur les possibilités d’emploi, les renseignements importants sur les prestations, les crédits et tout ce qui concerne les impôts. Termes et conditions : https://www.canada.ca/fr/agence-revenu/organisation/soyez-branche/interagir-medias-sociaux.html
Access Data Using Our API
Get company history
Rapid.png)
CRA-ADRDC Cyber Security News
Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds
A Fifth Estate and Radio-Canada investigation has found the CRA repeatedly paid out millions of dollars in bogus refunds to scammers.
The making of music: is a master recording tangible or intangible property?
This article is part one of a four-part series that explores the Unidisc decisions and goes into detail on the issues of music masters, ...
Volunteer to do taxes for people in your community
Join thousands of volunteers across Canada! You don't need to be a tax expert to help people. As a volunteer at a free tax clinic, you will:.
Victims of CRA hackers vulnerable to other cyberattacks: experts
Thousands of Canadians affected by recent attacks on the Canada Revenue Agency and federal government computer systems could be vulnerable ...
Sweet v Canada: Federal Court Of Canada certified privacy breach class action against CRA
The taxpayers allege that the CRA, due to operational failures, failed to properly secure the online portals providing access to these accounts.
Tax Consequences of Rental Property Conversions
Case Comment on a recent, and potentially troubling, court decision concerning the tax consequences of a conversion of multi-unit rental ...
Alain Ranger | Tax Law Lawyer in Montréal | People
Alain received and has maintained for over 20 years the highest Martindale-Hubbell rating (AV Preeminent) for a lawyer, and is continuously recognized as a ...
Commissioners
This page contains the biographies of the Commissioner and Deputy Commissioner of the CRA.
Bill C-51: Your tax info at heightened risk, experts say
Under Bill C-51, the Canada Revenue Agency has permission to share your income tax filings with 13 additional government agencies.
CRA-ADRDC Similar Companies
DLRG
Wir, die Deutsche Lebens-Rettungs-Gesellschaft e.V. (DLRG), sind mit über 1,9 Millionen Mitgliedern und Förderern die größte Wasserrettungsorganisation der Welt. Seit unserer Gründung im Jahr 1913 haben wir es uns zur Aufgabe gemacht, Menschen vor dem Ertrinken zu bewahren. Schirmherr ist Bunde
Landeshauptstadt Hannover
Die Stadt Hannover entstand irgendwann im Mittelalter als kleine dörfliche Siedlung auf einer hochgelegenen und damit hochwasserfreien Terrasse der Leine (Honovere= das hohe Ufer). Nach dem 2. Weltkrieg erholte sich die Stadt schneller als man dachte. Auf den Trümmern wurde eine moderne Stadt er
Workingfor.be
Workingfor.be is the job platform of the federal administration. Here, you will find a wide variety of jobs in different fields of profession. Every day thousands of our employees help build tomorrow's society. When you choose the federal administration, you choose an employer who embraces you
Warwickshire County Council
County level local government authority. The County Council Warwickshire County Council provides a wide range of services to over half a million residents. It works with other public, private and voluntary bodies to make Warwickshire a better place for people to live and work. It has specifi
Department of Education
The Department of Education is responsible for delivering the Victorian Government’s commitment to making Victoria the Education State, where all Victorians have the best learning and development experience, regardless of their background, postcode or circumstances. Education remains a cornerstone f
Helsingin kaupunki – Helsingfors stad – City of Helsinki
Helsingin kaupunki on Suomen suurin työnantaja, jonka palveluksessa on lähes 38 000 ammattilaista ja asiantuntijaa. Helsingin kaupunki tarjoaa henkilöstölle monipuolisia, mielenkiintoisia ja yhteiskunnallisesti merkittäviä työtehtäviä, hyvät mahdollisuudet kehittymiseen, ammattitaitoiset työkaveri
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
CRA-ADRDC CyberSecurity History Information
How many cyber incidents has CRA-ADRDC faced?
Total Incidents: According to Rankiteo, CRA-ADRDC has faced 6 incidents in the past.
What types of cybersecurity incidents have occurred at CRA-ADRDC?
Incident Types: The types of cybersecurity incidents that have occurred incidents Cyber Attack, Breach and Data Leak.
How does CRA-ADRDC detect and respond to cybersecurity incidents?
Detection and Response: The company detects and responds to cybersecurity incidents through remediation measures with Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service. and law enforcement notified with Ottawa Police.
Incident Details
Can you provide details on each incident?
Incident : Data Breach
Title: Canada Border Services Agency Data Breach
Description: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information.
Type: Data Breach
Attack Vector: Unpatched and decommissioned server
Vulnerability Exploited: Lack of security safeguards in the contract
Threat Actor: Unspecified bad actors
Incident : Data Exposure
Title: Canadian Government Data Exposure via Trello
Description: The government of Canada exposed sensitive information including software bugs, security plans, server passwords, official internet domains, conference calls, and event-planning system details due to misconfigured Trello boards.
Type: Data Exposure
Attack Vector: Misconfiguration
Vulnerability Exploited: Misconfigured third-party service
Incident : Data Breach
Title: Data Breach at Infrastructure Canada
Description: A significant data breach happened in the federal government after a device was stolen from Public Services and Procurement Canada (PSPC). PSPC is Infrastructure Canada’s service provider for pay, pension, and benefits. All 227 employees were affected at Infrastructure Canada. No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address, and salary range may have been compromised.
Type: Data Breach
Attack Vector: Device Theft
Incident : Data Breach
Title: Device Theft at Public Services and Procurement Canada
Description: A device was stolen from Public Services and Procurement Canada, compromising personal information of 227 employees at Infrastructure Canada.
Date Detected: 2023-08-20
Date Publicly Disclosed: 2023-09-07
Type: Data Breach
Attack Vector: Physical Theft
Incident : Data Breach
Title: Canada Revenue Agency Privacy Breaches
Description: The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months.
Type: Data Breach
Incident : Cyberattack
Title: Cyberattack on Canadian Government Websites
Description: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians.
Type: Cyberattack
Threat Actor: Anonymous
Motivation: Retaliation for a new anti-terrorism law
What are the most common types of attacks the company has faced?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Unpatched and decommissioned server.
Impact of the Incidents
What was the impact of each incident?
Incident : Data Breach CAN206221122
Data Compromised: Licence plates, Related information
Incident : Data Exposure GOV12181122
Data Compromised: software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details
Systems Affected: Trello boards
Incident : Data Breach PUB110311022
Data Compromised: Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range
Incident : Data Breach PUB2215251022
Data Compromised: Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range
Incident : Data Breach CAN17246822
Data Compromised: Personal, Confidential
Incident : Cyberattack GOV192330422
Systems Affected: canada.ca, CSIS website
What types of data are most commonly compromised in incidents?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Licence plates, Related information, software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details, Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, Personal Information, Personal and Confidential.
Which entities were affected by each incident?
Incident : Data Breach CAN206221122
Entity Type: Government Agency
Industry: Government
Location: Canada
Incident : Data Breach PUB110311022
Entity Type: Government Agency
Industry: Government
Size: 227 employees
Incident : Data Breach PUB2215251022
Entity Type: Government Agency
Industry: Public Services
Location: Canada
Size: 227 employees affected
Incident : Data Breach CAN17246822
Entity Type: Government
Industry: Public Sector
Location: Canada
Customers Affected: 80000
Response to the Incidents
What measures were taken in response to each incident?
Incident : Data Exposure GOV12181122
Remediation Measures: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Incident : Data Breach PUB2215251022
Law Enforcement Notified: Ottawa Police
Data Breach Information
What type of data was compromised in each breach?
Incident : Data Breach CAN206221122
Type of Data Compromised: Licence plates, Related information
Number of Records Exposed: 1.38 million
Data Exfiltration: Yes
Personally Identifiable Information: Licence plate photos
Incident : Data Exposure GOV12181122
Type of Data Compromised: software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details
Sensitivity of Data: High
Incident : Data Breach PUB110311022
Type of Data Compromised: Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range
Number of Records Exposed: 227
Sensitivity of Data: High
Personally Identifiable Information: Name, Person Record Identifier (PRI), Date of Birth, Home Address
Incident : Data Breach PUB2215251022
Type of Data Compromised: Personal Information
Number of Records Exposed: 227
Sensitivity of Data: Medium
Personally Identifiable Information: Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range
Incident : Data Breach CAN17246822
Type of Data Compromised: Personal, Confidential
Number of Records Exposed: 80000
Sensitivity of Data: High
Personally Identifiable Information: True
What measures does the company take to prevent data exfiltration?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service..
Lessons Learned and Recommendations
What lessons were learned from each incident?
Incident : Data Breach CAN206221122
Lessons Learned: Ensure contracts include security safeguards for the protection and retention of personal information.
Incident : Data Exposure GOV12181122
Lessons Learned: Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.
What recommendations were made to prevent future incidents?
Incident : Data Exposure GOV12181122
Recommendations: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage.
What are the key lessons learned from past incidents?
Key Lessons Learned: The key lessons learned from past incidents are Ensure contracts include security safeguards for the protection and retention of personal information.Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.
What recommendations has the company implemented to improve cybersecurity?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage..
References
Where can I find more information about each incident?
Incident : Data Breach CAN17246822
Source: Public Disclosure
Where can stakeholders find additional resources on cybersecurity best practices?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Public Disclosure.
Initial Access Broker
How did the initial access broker gain entry for each incident?
Incident : Data Breach CAN206221122
Entry Point: Unpatched and decommissioned server
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident?
Incident : Data Breach CAN206221122
Root Causes: Lack of security safeguards in the contract; Unpatched and decommissioned server
Incident : Data Exposure GOV12181122
Root Causes: Misconfiguration of Trello boards leading to exposure of sensitive information.
Corrective Actions: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools.
What corrective actions has the company taken based on post-incident analysis?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools..
Additional Questions
General Information
Who was the attacking group in the last incident?
Last Attacking Group: The attacking group in the last incident were an Unspecified bad actors and Anonymous.
Incident Details
What was the most recent incident detected?
Most Recent Incident Detected: The most recent incident detected was on 2023-08-20.
What was the most recent incident publicly disclosed?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-09-07.
Impact of the Incidents
What was the most significant data compromised in an incident?
Most Significant Data Compromised: The most significant data compromised in an incident were Licence plates, Related information, software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details, Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, Personal and Confidential.
What was the most significant system affected in an incident?
Most Significant System Affected: The most significant system affected in an incident were Trello boards and canada.ca, CSIS website.
Data Breach Information
What was the most sensitive data compromised in a breach?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Licence plates, Related information, software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details, Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, Personal and Confidential.
What was the number of records exposed in the most significant breach?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.4M.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Ensure contracts include security safeguards for the protection and retention of personal information., Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.
What was the most significant recommendation implemented to improve cybersecurity?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage..
References
What is the most recent source of information about an incident?
Most Recent Source: The most recent source of information about an incident is Public Disclosure.
Initial Access Broker
What was the most recent entry point used by an initial access broker?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Unpatched and decommissioned server.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of security safeguards in the contract; Unpatched and decommissioned server, Misconfiguration of Trello boards leading to exposure of sensitive information..
What was the most significant corrective action taken based on post-incident analysis?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools..
What Do We Measure?
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
