The Canada Revenue Agency (CRA) has acknowledged that tens of thousands of taxpayer accounts were hacked between March 2020 and December 2023, resulting in millions of dollars paid out in fraudulent tax refunds to scammers. An investigation by CBC’s The Fifth Estate and Radio-Canada revealed that the agency significantly underreported these cyberattacks to Parliament, raising concerns about its ability to protect Canadians’ personal information and taxpayer dollars.
In one attack, hackers reportedly exploited confidential credentials from H&R Block Canada, one of the nation’s largest tax preparation firms, to access hundreds of personal CRA accounts. They altered direct deposit information, submitted false tax returns, and collected over $6 million in bogus refunds. Despite preparing media responses, the CRA did not inform the public about the breach, and Revenue Minister Marie-Claude Bibeau declined requests for an interview.
While the CRA reported only 71 privacy breaches to Parliament for the fiscal year ending March 31, 2024, the agency later admitted to over 31,468 “material” privacy breaches affecting 62,000 individual taxpayers from March 2020 to December 2023. Privacy Commissioner Philippe Dufresne did not include these figures in his June 2024 report, stating the information was provided after the reporting period and would appear in the next annual report.
Internal sources suggest that the CRA’s “pay and chase” policy—prioritizing swift issuance of tax refunds over thorough verification—has made it susceptible to fraud. The agency confirmed it mistakenly authorized more than $190 million in bogus payments connected to confirmed privacy breaches between 2020 and early October 2024. Although the CRA claims a drastic reduction in recent years, the $6 million lost in the recent H&R Block breach indicates ongoing vulnerabilities.
Tax experts like André Lareau, an associate professor at Laval University, are calling for a parliamentary inquiry. “They all should tell exactly what happened [and] how much money is involved,” Lareau said, emphasizing the need for transparency and improved security measures to protect taxpayers.
More information on this story can be found on the CBC news site.