An investigation by CBC’s The Fifth Estate and Radio-Canada has revealed that the Canada Revenue Agency (CRA) is grappling with an alarming number of cyberattacks that led to fraudulent tax refunds worth millions of dollars being paid to scammers. Between March 2020 and December 2023, 62,000 individual Canadian tax accounts were compromised, a figure the CRA had vastly underreported to Parliament.
H&R Block Data Breach Exposes CRA Vulnerabilities
During this year’s tax season, hackers obtained confidential filing credentials from H&R Block Canada, using them to access hundreds of CRA accounts. The scammers changed direct deposit details and filed fraudulent returns, successfully extracting over $6 million in bogus refunds. This breach, which the CRA did not publicly disclose, highlights a broader issue within the agency’s ability to secure taxpayer information.
Although H&R Block conducted an internal investigation and found no evidence of its systems being compromised, the CRA struggled to identify the source of the hack and suspects it stemmed from external third-party access rather than insider breaches.
Millions Paid in Bogus Refunds Amid Increasing Cyber Threats
The CRA’s internal auditors discovered multiple instances where imposters used fake addresses and hacked accounts to funnel taxpayer dollars into their bank accounts. Despite stopping an additional $14 million in payouts, the agency has already paid $37 million to scammers, according to unsealed affidavits. The total losses, exacerbated by the introduction of COVID-19 emergency benefits, reached $190 million from 2020 to 2024.
Laval University’s Associate Professor André Lareau voiced concern over the CRA’s inability to secure taxpayer data, stating, “The door is open, and some people are infiltrating the system.”
Lack of Transparency Raises Concerns Among Auditors and Parliament
While the CRA claims to have implemented measures to protect taxpayer accounts and mitigate future threats, the agency has faced backlash for failing to report the breaches transparently. Despite acknowledging over 31,468 privacy breaches affecting tens of thousands of Canadians, the CRA admitted to only retroactively informing the Privacy Commissioner and Parliament. Privacy Commissioner Philippe Dufresne’s office defended this delayed reporting, citing the CRA’s late submission of data.
Experts are now calling for a parliamentary inquiry to investigate the full extent of these breaches and to hold the CRA accountable for safeguarding taxpayer information. The situation has left both financial institutions and Canadians questioning the agency’s capacity to detect and prevent large-scale fraud.
The CRA insists that it takes “the protection of Canadians’ tax information very seriously” and is evolving its practices in response to adaptive scam tactics. However, critics believe more transparency and coordination with financial institutions are needed to restore public trust in the agency.( Courtesy CBC News)