CRA Admits to Massive Underreporting of Cyberattacks

Share post:

The Canada Revenue Agency (CRA) has acknowledged that tens of thousands of taxpayer accounts were hacked between March 2020 and December 2023, resulting in millions of dollars paid out in fraudulent tax refunds to scammers. An investigation by CBC’s The Fifth Estate and Radio-Canada revealed that the agency significantly underreported these cyberattacks to Parliament, raising concerns about its ability to protect Canadians’ personal information and taxpayer dollars.

In one attack, hackers reportedly exploited confidential credentials from H&R Block Canada, one of the nation’s largest tax preparation firms, to access hundreds of personal CRA accounts. They altered direct deposit information, submitted false tax returns, and collected over $6 million in bogus refunds. Despite preparing media responses, the CRA did not inform the public about the breach, and Revenue Minister Marie-Claude Bibeau declined requests for an interview.

While the CRA reported only 71 privacy breaches to Parliament for the fiscal year ending March 31, 2024, the agency later admitted to over 31,468 “material” privacy breaches affecting 62,000 individual taxpayers from March 2020 to December 2023. Privacy Commissioner Philippe Dufresne did not include these figures in his June 2024 report, stating the information was provided after the reporting period and would appear in the next annual report.

Internal sources suggest that the CRA’s “pay and chase” policy—prioritizing swift issuance of tax refunds over thorough verification—has made it susceptible to fraud. The agency confirmed it mistakenly authorized more than $190 million in bogus payments connected to confirmed privacy breaches between 2020 and early October 2024. Although the CRA claims a drastic reduction in recent years, the $6 million lost in the recent H&R Block breach indicates ongoing vulnerabilities.

Tax experts like André Lareau, an associate professor at Laval University, are calling for a parliamentary inquiry. “They all should tell exactly what happened [and] how much money is involved,” Lareau said, emphasizing the need for transparency and improved security measures to protect taxpayers.

More information on this story can be found on the CBC news site.

 

SUBSCRIBE NOW

Related articles

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

OpenEuroLLM: Europe’s €52M Bet on Challenging US and China in AI

A new coalition, backed by the European Commission and referred to as OpenEuroLLM, is rallying more than 20...

Researchers Jailbreak DeepSeek AI, Expose System Prompt and Raise Security Concerns

Security researchers at Wallarm have successfully jailbroken DeepSeek, a recently released open-source AI model from China. The jailbreak...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways