The Canada Revenue Agency (CRA) has paid out millions to fraudulent accounts over the last few years, and now the country’s privacy watchdog has launched an investigation into cyberattacks that have led to thousands of privacy breaches.
The agency said that it saw a “significant increase” in the number of identity theft cases and unauthorized use of taxpayer information by a third party (UUTP) after the announcement of COVID-19 emergency benefits.
“The delays in reporting these breaches from between March 2020 to December 2023 can be attributed to the need to develop a reporting process for these types of privacy breaches, and the fact we prioritized protecting the accounts and advising affected taxpayers,” said the CRA in a statement.
“They can also be attributed to external factors beyond the CRA’s control, such as difficulty in contacting taxpayers to confirm the breach.”
The CRA revealed that in 2020, $181 million was fraudulently paid out on individual accounts related to UUTP. In 2021, it was $5 million, followed by $0.4 million in 2022, $2 million in 2023 and $3 million in 2024 (as of October 4, 2024).
These amounts account for T1 returns and COVID benefits only. The agency said that the drop since 2020 “demonstrates its systems are identifying and stopping fraudulent claims before they are paid out.”
CRA responds to recent investigation
The CRA’s statement comes after the agency made headlines following a recent CBC News investigation.
The report revealed that during this year’s tax season, the agency learned hackers had breached confidential CRA accounts from H&R Block Canada. The investigation noted that when the hackers got into personal CRA accounts, they changed the direct deposit information, submitted false returns and managed to walk away with over $6 million in fraudulent refunds.
CBC found many of these breaches are being underreported to the public and Parliament.
In their statement, The CRA said that threat actors tried to obtain a total of $21.5 million in the case of the CBC report. The agency confirmed that it blocked $157 million and intercepted $14.9 million.
The CRA works closely with third parties, sharing information when there is sufficient concern that taxpayer information in their possession has been compromised,” the agency said. It noted that if the UUTP has been confirmed, several actions are taken, including contacting those impacted to directly inform them of the incident and outlining steps they can take to protect their accounts further.
“The CRA’s continual vigilance combined with individual cyber hygiene creates a strong barrier against those seeking to gain from fraudulent activities,” stated the agency.
Privacy commissioner launches investigation
The Privacy Commissioner of Canada has now launched an investigation into what it says are over 30,000 CRA privacy breaches that have dated back to 2020.
On Tuesday, the Office of the Privacy Commissioner of Canada (OPC) released a statement, noting the investigation was launched “following the receipt of a complaint.”
“It will examine whether the CRA met its obligations under the Privacy Act, the federal public sector privacy law,” reads the statement. “Federal institutions are required to report breaches in accordance with Treasury Board Secretariat directives.”
The OPC added that Canadians can take steps to protect themselves by changing their CRA accounts.
Iryna Tolmachova/Shutterstock