Over 42,000 CRA Breaches Since 2020
Canada's federal privacy watchdog has sounded the alarm on a troubling pattern at the Canada Revenue Agency (CRA): more than 42,000 breaches involving unauthorized access to — or modification of — taxpayer accounts have occurred since 2020.
The Office of the Privacy Commissioner of Canada released its findings this week, calling on the CRA to take meaningful steps to shore up its digital defences. The scale of the breaches has raised serious questions about how well the federal government is protecting some of the most sensitive financial data Canadians hand over each year.
What Counts as a Breach?
The breaches flagged by the privacy commissioner include cases where individuals gained unauthorized access to CRA accounts — sometimes through credential stuffing attacks, where stolen usernames and passwords from other data leaks are used to break in — as well as instances where account information was altered without the rightful owner's knowledge.
This kind of access can allow bad actors to redirect tax refunds, change direct deposit information, or harvest personal details for use in further fraud schemes. For ordinary Canadians expecting a refund or managing benefits like the Canada Child Benefit or GST/HST credits, a compromised CRA account can mean significant financial harm and months of bureaucratic headaches.
A Pattern That Predates COVID — But Got Worse
While the 2020 start date in the report coincides with the COVID-19 pandemic — a period when the CRA was processing emergency relief payments at an unprecedented pace — the vulnerabilities exposed during that period have clearly persisted. Fraud rings targeted CERB and other pandemic benefits, and the CRA's rapid digital expansion to handle millions of new interactions opened doors that haven't fully closed since.
The privacy watchdog's report makes clear this isn't a one-time incident but a systemic issue requiring structural fixes, not just patches.
What the Privacy Commissioner Is Asking For
The Office of the Privacy Commissioner stopped short of calling the CRA negligent, but its recommendations are pointed. The watchdog is urging the agency to adopt stronger authentication measures, improve detection of suspicious account activity, and be more proactive in notifying Canadians when their accounts may have been compromised.
The CRA has acknowledged the findings and indicated it is reviewing the recommendations, though advocates for digital rights say the agency needs to move faster given how long these vulnerabilities have been exploited.
What Canadians Can Do Now
If you haven't checked your CRA MyAccount recently, now is a good time. Canadians are advised to:
- Enable two-factor authentication on their CRA account if they haven't already
- Review their direct deposit and contact information to confirm nothing has been changed without their knowledge
- Check their benefit payment history for any irregularities
- Report suspicious activity to the CRA's security team immediately
With tax season freshly behind us, millions of Canadians are waiting on refunds — making this a particularly high-risk window for account fraud.
The full report from the Office of the Privacy Commissioner is available on their official website. The CRA is expected to respond formally to the recommendations in the coming months.
Source: CBC News
