Canadian taxpayers' info hacked in over 42,000 CRA account data breaches
Tens of thousands of Canadian taxpayers have been targeted in Canada Revenue Agency (CRA) data breaches since 2020, according to Canada’s privacy watchdog.
The CRA reported a total of 42,755 confirmed individual data breaches to the Office of the Privacy Commissioner of Canada (OPC) since 2020.
Privacy Commissioner Philippe Dufresne shared the report with Parliament on Thursday. It concluded that there are “shortcomings” to the CRA’s prevention, monitoring and detection, remediation, and governance.
Described by the revenue agency as “unauthorized access, disclosure or use” of an individual’s tax information by a third party, the hackers used stolen or leaked information from external sources to gain access to taxpayers’ accounts.
“Bad actors also use legitimate information to modify individuals’ accounts, presumably in an effort to file false tax returns, direct CRA payments to themselves or claim benefits,” reads the OPC’s report.
“In addition, attackers can make changes to accounts without ever directly accessing a taxpayer account, for example, by filing a false tax return, or updating information on an account by impersonating and successfully passing challenge questions via a call centre.”
Report findings
Africa Studio/Shutterstock
Dufresne noted that the CRA was unable to provide the federal privacy watchdog with details of every confirmed data breach due to limitations in its tracking systems.
Critique provided by the privacy commissioner includes the agency failing to implement mandatory multifactor authentication in a timely manner, and, once it did, “it did not rely on the strongest methods according to industry best practices.”
The report added that when it came to monitoring and detection, despite relying on many tools, a majority of the CRA data breaches remained self-reported. Dufresne says that combined with the agency’s inability to identify when and how each data breach occurred, it “raises questions about the effectiveness of the CRA’s approach.”
The commissioner made nine recommendations to the CRA, of which eight were accepted fully and one in part.
CRA responds to the privacy commissioner’s feedback
Erman Gunes/Shutterstock
In an email statement to Daily Hive, the revenue agency said it welcomes the commissioner’s findings.
“The confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada’s tax system,” reads the statement. “The protection of taxpayer information is of the utmost importance to the CRA and in today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats.”
The agency said that in 2020, there was a significant increase in the number of identity theft cases following the announcement of COVID-19 emergency benefits. It said that, at the time, it focused on protecting accounts, enhancing security measures, and contacting affected taxpayers.
According to the government agency, it continues to implement security measures, technologies and controls with “threat actors becoming increasingly sophisticated and constantly evolving their tactics.”
This includes mandatory multifactor authentication for all users who access the CRA’s sign-in services.
“As of February 2026, CRA account users are prompted to add a backup MFA option where applicable, further strengthening the security of taxpayer’s online accounts,” reads the statement.
It added that it also conducts routine checks and analyses to identify user IDs and passwords that may have been hacked. Any that are identified are revoked.
The agency has also implemented a “Confirm my Representative” process for all authorization requests submitted by a third party seeking online access to taxpayer information.
” Taxpayers must confirm or deny these requests in their account or provide specific information to their representative to support the authorization request,” reads the statement.
Lastly, the agency now requires My Account users to have an email address on file and limits new account users to only one credential (either a CRA user ID and password or a Sign-In Partner).
This report comes as a nationwide class-action settlement involving the alleged privacy breach of Government of Canada online accounts was approved by the Federal Court earlier this week. Find out if you’re eligible and how much you can claim.