Hackers steal $6.6M through false Canada Revenue Agency tax returns

By

Published October 29, 2024 at 12:14 pm

hackers canada revenue agency

Hackers used personal Canada Revenue Agency account information to steal $6.6 million.

A CRA spokesperson tells INsauga.com, the “threat actors” attempted to get $21.5 million.

The imposters used H&R Block Canada’s confidential credentials to hack into hundreds of Canadians’ personal CRA accounts, change direct deposit information and submit false returns during the 2024 tax season, a CBC’s The Fifth Estate and Radio-Canada investigation found.

In this particular case, the hackers attempted to get $21.5 million in bogus refunds but the CRA intercepted $14.9 million resulting in the $6.6 million loss, the CRA told INsauga.com.

A total of $157 million was blocked by the CRA, the spokesperson said.

H&R Block Canada is one of many third parties that have credentials and the CRA said they work with these companies sharing when taxpayer information has been compromised.

H&R Block told CBC they conducted an investigation and found none of its systems had been compromised and the taxpayers impacted were not H&R Block clients.

The CRA didn’t say who hacked the data and where the breach came from.

The CRA said if there is an unauthorized use of taxpayer information by a third party, it takes the necessary security actions.

“This includes contacting the impacted individuals directly to make them aware of the incident, advising them of the measures the CRA is taking to protect their information, and outlining the steps they can take to further protect their account,” the spokesperson said in an emailed statement.

If there is a privacy breach impacting the broader Canadian public, the CRA may choose issue a public alert. In 2020, the CRA issued a general warning about credential stuffing attacks, and strongly encouraged Canadians to avoid reusing passwords.

Since 2020, there has been a significant increase in the number of identity theft cases and unauthorized use of taxpayer information by a third-party, the statement read. These incidents followed the announcement of the COVID-19 emergency benefits.

“Later that year, the CRA also noticed a marked increase in external data breaches and cyber threats as external threat actors attempted to capitalize on a unique and lucrative set of circumstances,” the spokesperson said.

At that time, the CRA prioritized protecting accounts, improving security and protection measures and contacting affected taxpayers, the CRA said.

The CRA confirmed that the following amounts were fraudulently paid out on individual accounts related unauthorized use of taxpayer information by a third party. These numbers account for T1 returns and COVID benefits only:

  • 2020: $181 million
  • 2021: $5 million
  • 2022: $0.4 million
  • 2023: $2 million
  • 2024: $3 million (as of Oct. 4, 2024)

“The drastic reduction in these numbers after 2020 demonstrates that the CRA’s systems are identifying and stopping fraudulent claims before they are paid out,” the statement read.

The CRA is working with Public Services and Procurement Canada to recover funds from financial institutions that were issued as a result of unauthorized use of taxpayer information by a third party.

There were delays in reporting 31,468 breaches from March 2020 to December 2023 to Canadian Parliament due to a lack of a reporting process for these types of privacy breaches, and prioritizing protecting the accounts and advising affected taxpayers, the CRA said. There were also difficulties in contacting taxpayers to confirm the breach.

The CRA said they are continually enhancing security measures, technologies, processes and controls to ensure the security of taxpayer information.

Security measures include multi-factor authentication throughout CRA login services, and proactively revoking user IDs and passwords that may have been obtained by unauthorized third parties through a variety of external sources.

“The protection of taxpayer information remains one of our highest priorities.,” the spokesperson said. “Recognizing our robust security controls, we, like many large organizations, are not immune to privacy breaches, and we recognize the worry and frustration this can cause for those affected.”

They proactively detect, report, and address external fraud and the unauthorized use of taxpayer information by a third party.

“When we suspect an account is the target of an external threat actor, we take swift and immediate precautionary measures on the taxpayer’s account such as locking it to prevent transactions, conducting in‑depth reviews, and contacting the individuals,” the statement read. “If a privacy breach is confirmed, the CRA formally notifies the affected individuals and provides credit protection, where warranted, at no cost to them.”

Taxpayers who are confirmed victims of identity theft are not held responsible for any money paid out to scammers nor penalties or interest related to fraudulent claims, the spokesperson said.

For more information on protecting personal information from external threats, see the government website here.

INsauga's Editorial Standards and Policies