The agency acknowledges that it significantly underreported cyberattacks affecting Canadian taxpayers to Parliament. During the peak of this year’s tax season, the Canada Revenue Agency (CRA) identified that hackers had accessed sensitive information from one of the nation’s largest tax preparation companies, H&R Block Canada.
Fraudsters exploited the company’s confidential credentials to gain unauthorized entry into numerous Canadians’ personal CRA accounts, alter direct deposit details, submit fraudulent tax returns, and illicitly acquire over $6 million in false refunds from government funds, as revealed by an investigation conducted by CBC’s The Fifth Estate and Radio-Canada.
In one instance, the hackers submitted a tax return using a valid postal code but provided a fictitious address on a non-existent Tomato Street. “Clearly, the system is vulnerable, and certain individuals are breaching it,” stated André Lareau, an associate professor of tax at Laval University in Quebec City, during an interview. “However, the CRA appears to lack the means to secure the system effectively.”
Sources indicate that the situation prompted the CRA to reach out to the office of Revenue Minister Marie-Claude Bibeau. The agency prepared statements to address potential inquiries regarding the breach of H&R Block’s data and the reasons behind the millions paid to fraudsters. Ultimately, the public was not informed about the fraudulent activities.
Minister Bibeau declined to grant an interview to The Fifth Estate/Radio-Canada. In a statement, H&R Block asserted that there is no evidence linking the breach to its operations. The tax preparation firm reported that a “thorough internal investigation” determined that none of its “data, systems, software, and security” had been compromised and stated that it is unaware if any affected Canadian taxpayers were clients of theirs.
Massive rise in reported breaches to Parliament
The investigation conducted by The Fifth Estate and Radio-Canada has revealed that the data breach at H&R Block is merely one instance among numerous incidents that are overwhelming the Canada Revenue Agency (CRA). Auditors and investigators express concern that the public may lose confidence in the agency responsible for protecting taxpayer funds and personal information.
As the CRA works internally to address threats posed by malicious actors, the findings from The Fifth Estate/Radio-Canada indicate that the public remains largely uninformed about the significant amounts of money stolen and the substantial deficiencies in the agency’s fraud detection capabilities.
Lareau has suggested that a parliamentary inquiry should be established to assess the “magnitude” of the issue and to demand accountability from the CRA and the minister. “They should provide a detailed account of what transpired and the financial implications involved,” he stated.
Furthermore, the CRA is obligated to inform the Privacy Commissioner of any “material” breaches concerning taxpayer accounts, with the Commissioner reporting directly to Parliament. In a report submitted to Parliament in June, the Privacy Commissioner noted 71 breaches at the CRA for the fiscal year ending March 31, 2024, compared to 42 breaches reported in the preceding three years.
These figures have since surged dramatically. In response to inquiries from The Fifth Estate/Radio-Canada, the CRA acknowledged that it has experienced over 31,468 “material” privacy breaches from March 2020 to December 2023, impacting 62,000 individual Canadian taxpayers.
Parliament not informed
In a recent email, the commissioner’s office defended its choice to exclude the significant rise in privacy breaches from the June 2024 report to Members of Parliament. The office explained that the Canada Revenue Agency (CRA) provided the relevant data after the reporting period concluded in March 2024, and assured that these figures would be incorporated into the subsequent annual report.
The CRA clarified that it only reported the 31,468 privacy breaches retroactively. In response to inquiries from The Fifth Estate/Radio-Canada, the agency acknowledged a “marked increase in external data breaches and cyberthreats,” where “unauthorized third parties” accessed Canadians’ tax accounts, altered direct deposit details, generated “fraudulent tax information slips,” and submitted fraudulent tax returns.
The CRA stated that individual taxpayers are notified when a breach occurs, are offered “credit protection as necessary,” and emphasized its commitment to safeguarding Canadians’ tax information. However, the agency did not disclose how or when it first became aware that the number of privacy breaches was being underreported to Parliament, nor did it provide a breakdown of the total reported figures by year.
In 2020, the Treasury Board indicated that CRA cyberattacks had been effectively managed. A judge in a 2022 class-action lawsuit regarding federal government privacy breaches determined that scammers had altered direct deposit information in 12,700 CRA accounts. In a subsequent statement released on Friday evening, the CRA admitted to mistakenly authorizing over $190 million in fraudulent payments linked to “confirmed” cases of privacy breaches from 2020 to early October 2024.
The agency noted that the majority of these incidents occurred in 2020 during the COVID-19 pandemic, and reported a “drastic reduction” in such cases in the following years. In its statement, the CRA mentioned that it disbursed a total of $3 million in 2024 to imposters, a figure that seems inconsistent with the $6 million lost in this year’s H&R Block data breach alone, according to sources. Additionally, sources indicated that the CRA is facing a backlog of suspicious cases.
H&R Block credentials breach a microcosm
Not all fraudulent activities targeting the CRA involved violations of privacy. Scammers frequently utilize their own accounts to submit false claims.
Reports indicate that the situation surrounding H&R Block exemplifies an agency that is overwhelmed, underfunded, and outmaneuvered, allowing hackers and scammers to exploit the CRA’s shortcomings in identifying various instances of tax return fraud.
Sources suggest that a significant challenge for the agency in addressing fraudulent returns is what is referred to internally as a “pay and chase” culture. This policy prioritizes the rapid disbursement of tax refunds to the public, with audits of discrepancies conducted at a later stage.
Lareau noted that the CRA aims to project an image of an “efficient” agency that processes returns “as quickly as possible.” However, this strategy creates significant vulnerabilities that fraudsters can exploit, as reported by The Fifth Estate/Radio-Canada.
It seems that agency officials first became aware of potential issues when they observed advertisements on the dark web in April, offering illegally acquired H&R Block data for sale.
Hackers had gained access to H&R Block’s e-filing credentials provided by the CRA, essentially the confidential electronic keys that the firm’s accountants use to file returns on behalf of taxpayers.
Ultimately, it became evident that the compromised H&R Block information enabled imposters to access Canadians’ tax returns, alter banking details, and even change addresses to claim fraudulent refunds and tax credits.
According to sources, the CRA recognized that it had issued multiple unrelated fraudulent refunds to the same bank account. CRA auditors determined that they had been misled into disbursing over $6 million in 2024, while successfully preventing an additional $14 million from being paid out to imposters.
Lack of communication inside, outside agency
According to reports, the Canada Revenue Agency (CRA) does not consistently provide essential information to financial institutions, even when there are suspicions that fraudsters are exploiting one of their accounts. Additionally, sources indicated that the agency is concerned that insufficient internal communication has hindered efforts to track down the hackers.
In its official statement, the CRA noted that the significant increase in reported breaches can be traced back to 2020, coinciding with the rollout of COVID-19 emergency benefits. The agency has responded by enhancing protections for individual taxpayer accounts and securing its online services.
A spokesperson for the CRA remarked that “processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts” in the event of a breach. “As scammers adapt their practices, so does the CRA,” stated agency spokesperson Kim Thiffault.
