Canada’s privacy commissioner is launching a probe into the Canada Revenue Agency (CRA) in relation to cyberattacks that he says “led to more than 30,000 privacy breaches dating back to 2020.”
According to Philippe Dufresne, the CRA reported the breaches to his office in May 2024 and officials have been engaging with the tax agency to find out more information about the situation.
A news release by the Office of the Privacy Commissioner of Canada on Tuesday says the investigation was launched following the receipt of a complaint.
The investigation will look into whether the CRA met its obligations under the Privacy Act.
Though the commissioner notes a complaint prompted the investigation, news of the probe comes just days after the CBC reported the CRA found hackers had obtained confidential data that appeared to have been used by one of the country’s largest tax preparation firms, H&R Block.
According to that reporting by The Fifth Estate and Radio-Canada, hackers used the company’s confidential credentials to get unauthorized access into hundreds of Canadians’ personal CRA accounts, change direct deposit information, submit false returns and pocket more than $6 million in bogus refunds.
A statement in that report from H&R Block said there was no evidence the breach came from it.
Global News has not independently confirmed the reporting.
The privacy commissioner notes federal institutions are required to report breaches.
According to a report tabled in Parliament by Dufresne in June, the tax agency reported 71 breaches in the reporting year ending March 31, 2024.
However, the CRA confirmed to Global News in an email that it had retroactively reported 31,468 confirmed privacy breaches between March 2020 and December 2023 to Dufresne’s office and the Treasury Board of Canada Secretariat in the 2024-25 fiscal year.
A spokesperson for the CRA told Global News that “bad actors were able to gain access to taxpayers accounts from information they acquired from third parties.”
The CRA has had breaches and cyberattacks reported in previous years.
In August 2020, the CRA had disabled its online services after discovering more than 5,000 accounts were the target of cyberattacks. It resumed those services a few days later, but at the time the agency said it had modified all its security systems to protect against future cyberattacks.
About 5,600 CRA accounts were targeted in what the CRA has described as “credential stuffing” schemes, in which hackers used passwords and usernames from other websites to access Canadians’ CRA accounts.
A few months later, the CRA said in February 2021 that an unspecified number of accounts were locked as a “precaution” after an internal analysis revealed some credentials may have been compromised. Then in March of that year, the agency said another 800,000 accounts would be locked with a spokesperson saying the user IDs and passwords were obtained by unauthorized third parties and through a variety of means “by sources external to the CRA.”
The commissioner advises individuals can protect themselves by checking their CRA accounts for suspicious activity and changing their account passwords.
No further details on the investigation were provided as the commissioner’s office says it is an active investigation.
— with files from The Canadian Press