A major privacy report has revealed that more than 42,000 taxpayer accounts at the Canada Revenue Agency (CRA) have been compromised since 2020, raising fresh concerns about identity theft, cyber fraud and the protection of Canadians’ sensitive financial information.
In a special report tabled before Parliament, Philippe Dufresne said the repeated breaches resulted in unauthorized access to confidential taxpayer information, often carried out by criminals seeking financial gain.
The report concluded that the CRA failed to adequately safeguard personal information under its control and issued nine recommendations aimed at strengthening security protections and fraud detection systems.
Thousands of Canadians Potentially Impacted
According to the report, the breaches involved unauthorized access to taxpayer accounts either online through CRA’s “My Account” portal or over the phone.
While officials could not provide precise details for every breach due to tracking limitations and the sheer number of incidents, compromised accounts may have exposed highly sensitive information including:
- Social Insurance Numbers (SINs)
- Home addresses
- Tax returns and income details
- Banking and direct deposit information
- Benefit payment records
The report noted some breaches involved individual accounts, while others affected multiple taxpayers simultaneously.
CRA Says Victims Are Contacted Directly
The CRA says it notifies individuals or businesses it believes may have been impacted by suspicious activity or identity theft.
Affected Canadians may receive registered letters or direct phone calls with instructions on how to verify their identity and regain secure access to their accounts.
The agency says compromised accounts are temporarily disabled while investigations take place.
The CRA also stated it may offer free credit protection services to affected individuals and will ensure taxpayers are not held responsible for fraudulent claims made using stolen identities.
Privacy Commissioner Calls for Stronger Protections
The federal privacy watchdog made nine recommendations to improve CRA security systems, eight of which the agency fully accepted.
The recommendations include:
- Stronger multi-factor authentication protections
- Enhanced identity verification procedures for phone access
- Improved monitoring and detection systems
- Better tracking and reporting of breaches
- More proactive fraud prevention strategies
Dufresne said stronger action is needed to ensure taxpayer information is protected against increasingly sophisticated cyber threats.
Canadians Urged to Monitor Accounts Closely
The CRA is encouraging Canadians to regularly review their online accounts for suspicious activity, including:
- Unexpected address changes
- Unauthorized banking updates
- Unknown representatives added to accounts
- Missing benefit payments
- Unrecognized tax filings
The agency also recommends Canadians use strong, unique passwords for CRA accounts and avoid reusing passwords from banking or other online services.
Growing Concerns About Identity Theft
The report comes amid growing national concern over identity fraud and cybersecurity vulnerabilities involving government systems.
Recent investigative reporting has also linked some CRA fraud cases to organized identity theft operations involving fake documents and fraudulent tax refund claims.
Privacy experts warn that the true scale of the problem could be even larger than officially reported, particularly as cybercriminals increasingly target government portals containing financial and personal information.
Federal officials say the CRA continues to upgrade its cybersecurity systems, but the latest findings are expected to intensify pressure on Ottawa to strengthen protections for millions of Canadian taxpayers.