Recently, scammers hacked Tens of thousands of taxpayer accounts. There seems to have been a security breach at the CRA (Canada Revenue Agency), leading to millions in payouts of fraudulent refunds to scammers. What was the security gap? How did this happen? And what is the CRA doing to address this? Here’s what we found.
How did the hack happen?
Confidential taxpayer information, including the e-filing credentials, was hacked during the 2024 tax season. Hackers then used these credentials to access hundreds of CRA accounts. Upon gaining this unauthorized access, they
- Changed direct deposit information on multiple taxpayer accounts
- Submitted false tax returns and claims
- Took more than $6 million in fake refunds from the CRA
Where was the security gap?
An investigation indicated many of the hacked accounts have a common connection by way of Canadian tax firm H&R Block. Both H&R Block and the CRA claim there was no system breach on their end. There are many unanswered questions. Without any system or data security breach, how were bogus payouts made? Who did this? What’s being done to stop it from happening again? No one is coming forward with answers. The CRA says they haven’t been able to identify the hackers or their whereabouts. In all, the Canadian public – the taxpayers – have not received much information about what has happened to their money, nor have the hackers been brought to justice.
History of breaches and payouts of taxpayer money
The Canada Revenue Agency (CRA) has a duty of reporting “material breaches” to the privacy commissioner, who then reports directly to Parliament. The privacy commissioner reported to Parliament that the CRA was hacked 71 times in the single year ending March 2024, i.e. from March 2023 to March 2024. For context, there were a total of 42 breaches reported the 3 years prior. That’s a significant increase in material breaches in just one year. This, however, is only the number that was officially disclosed in the June 2024 report.
In an investigative journalism report, it came to light that the CRA admitted to over 31,000 “material” privacy breaches from March 2020 to December 2023. This is much, much higher than the reported 71 or 42 breaches presented to the Parliament. This new number affects over 62,000 Canadian taxpayers, however, the parliamentary report did not include any mention of this. Both the commissioner’s office and the CRA claimed that the CRA reported this new number after the reporting period. If the 31,000 material breaches were up to December 2023, and the new report was for March 2023 to March 2024, how did they miss out on calculating this number after the reporting period for the entire financial year? Will they include the real numbers in their report for 2025? Only time will tell.
This isn’t the end of the story with scammers targeting the CRA. In early 2024, the Tax Court of Canada released a previously sealed affidavit that included details of scammers stealing $37 million in taxpayer funds from the CRA. In another instance in November 2023, the CRA admitted to paying out over $63 million in “sham” tax refunds.
How did the Canadian government and CRA respond?
The Federal Revenue Minister, when asked for an estimate on how much taxpayer money was gone, mentioned that the CRA was “unable to provide the information” as “there is no systematic way to estimate the amount of all unwarranted payments.”
CRA has implemented some security measures to help prevent unauthorized access to taxpayer accounts, including mandatory Multi-Factor Authentication (MFA). This seems like a strong, positive measure in the right direction. It is also now mandatory to have an email address on file. This allows the CRA to notify account owners of any changes made to their accounts. This can help taxpayers be aware of issues quickly and protect themselves. If you receive an email mentioning changes in your account, and you haven’t made any, contact the CRA immediately.
They have also started conducting routine checks and analyses of the CRA user IDs and passwords of “at-risk” profiles. Lastly, they implemented an IIdentity Protection Services (IPS) program to review and resolve cases of identity theft, helping restore taxpayer account access to victims of identity theft.
What can you do?
As a Canadian taxpayer, there are a few things you can do to protect your CRA accounts:
- Regularly monitor your online accounts for any suspicious activity such as account changes that you did not initiate or expect.
- Keep your account secure by using MFA (Multi-Factor Authentication) and setting secure passwords that are not easy to “guess”.
- Update your security questions and keep the answers confidential. They should, ideally, be something that scammers or identity thieves cannot find out by looking you up online.
- Update your personal contact information and keep it current. This includes your phone number and address.
- If you have given account access to external applications, eg, tax filing firms, and no longer want them to have access, you can revoke access via your CRA account.
- Report any suspicious activity on your account to the CRA
Key Takeaways
Tens of thousands of Canadian taxpayers had their CRA accounts hacked during the 2024 tax season. The hackers stole millions of taxpayer money. In this specific case, the CRA insists they were not hacked. However, they did report 71 “material breaches” for the year ending 2024. Only 42 breaches were reported the three years prior.
A report found that the CRA admitted to a much higher number – 31,000 material breaches affecting 62,000 individual Canadian taxpayers. The 2024 parliamentary report didn’t include any mention of this. CRA has been dealing with this for a while, like a $37 million scam in early 2024, and sham tax refunds totalling $63 million in November 2023.
Secure your account by using MFA, secure IDs, and passwords. Keep your contact information current, and do not give unauthorized access to external applications unless necessary. Stay aware and vigilant to protect yourself from scams. Verify your accounts regularly, especially if money is tight. Dealing with debt? Contact one of our trained credit counsellors for advice. They’ll help you put together a debt relief strategy that fits for your specific situation.