Canada's privacy commissioner found the CRA violated federal law by failing to protect millions of taxpayers' sensitive financial data
More than 42,000 Canadian taxpayer accounts have been breached since 2020 — and the federal agency holding their financial data could not explain how most of the attacks succeeded.
Privacy commissioner Philippe Dufresne tabled a special report in Parliament on May 7 concluding that the Canada Revenue Agency (CRA) contravened the Privacy Act by failing to adequately protect taxpayers' personal information, finding the complaint “well-founded and conditionally resolved.”
The OPC launched the investigation in October 2024 after media reports surfaced that thousands of accounts had been exploited for financial gain and that a high volume of breaches had gone unreported.
The CRA internally classifies these incidents as Unauthorized Use of Taxpayer Information by a Third Party (UUTP).
By the time the report was written, the agency had submitted six quarterly breach reports totalling 42,755 confirmed individual cases dating back to May 2020, according to the OPC's special report.
How attackers got in
The OPC found that attackers used stolen or leaked credentials from external sources to access taxpayer accounts.
Once inside, bad actors filed false tax returns, redirected CRA payments, or claimed benefits in victims' names.
They could also modify accounts without ever logging in directly — by impersonating taxpayers over the phone and passing challenge questions at a call centre, the report said.
Entry points included financial institutions' sign-in services, the My Account portal, general enquiries phone lines, and tax returns filed through the EFILE system.
Financial institutions represented the most frequently breached entry point in the OPC's data sample.
The CRA told the OPC it had no visibility into how third-party authentication processes were bypassed and relied solely on the possibility that external partners might voluntarily report suspicious activity.
What the CRA couldn't tell the watchdog
The OPC ran into significant evidentiary problems during the investigation.
The CRA could not provide details on every confirmed breach, citing tracking limitations and the sheer volume of incidents — and only began formally tracking individual UUTPs in 2022.
The agency submitted a representative sample rather than a complete dataset, which prevented the OPC from evaluating whether remediation efforts actually worked.
Governance gaps compounded the problem.
The CRA's Identity Protection Services team relied on six different systems, some requiring manual data entry in unstructured formats.
The report noted there was no single centralized repository for breach tracking and no overarching team responsible for coordinating detection and response across all threat sources.
The CRA also did not conduct root cause analysis on individual breaches outside complex schemes, which the OPC said deprived the agency of “valuable intelligence about bad actors' tactics and about the vulnerabilities of compromised entry points.”
Authentication failures
The OPC found the CRA did not make multi-factor authentication (MFA) mandatory until October 2021, and once it did, the methods it offered fell short of international best practices.
The US Cybersecurity and Infrastructure Security Agency flagged SMS-based MFA as more susceptible to attack as early as 2022.
The National Institute of Standards and Technology concluded in 2025 that knowledge-based authentication — such as security questions — was obsolete.
The CRA, according to BNN Bloomberg, “could not always adequately explain how attackers managed to bypass authentication processes.”
The agency also had not sufficiently adopted a zero-trust security model, under which no user or device is trusted by default and access is continuously re-verified, the report found.
Nine recommendations, mixed acceptance
The OPC issued nine recommendations covering stronger MFA, improved phone-based authentication, zero-trust adoption, better breach tracking, and governance restructuring.
The CRA accepted eight in full and one — on MFA standards — only in part.
On MFA, the CRA argued it needs to retain SMS-based authentication to serve "vulnerable, rural, or underserved populations."
The OPC accepted the position but said it expects the CRA to clearly tell taxpayers that SMS is less secure than other options.
On breach tracking, the CRA accepted the recommendation but requested — and received — a 24-month extension to complete implementation.
In a statement Thursday cited by BNN Bloomberg, the CRA said it "continually takes steps to safeguard sensitive information against ever-evolving threats" and uses automated monitoring, threat intelligence, and internal analysis to detect suspicious activity.
The 2020 class-action settlement
CBC News reported that Federal Court Justice Richard Southcott approved an $8.7m class-action settlement this week for Canadians affected by a 2020 breach of CRA's My Account portal.
Hackers used "credential stuffing" — exploiting leaked usernames and passwords — and bypassed security questions through "a misconfiguration in CRA's credential management software," Southcott wrote.
The CRA learned of the exploit on August 6, 2020, when a law enforcement partner alerted it that someone was selling the method on the dark web, according to court filings; the agency fixed it four days later.
More than 47,000 people had personal and financial information compromised that summer, including social insurance numbers, home addresses, and bank account details, CBC News reported.
Attackers applied for COVID-19 emergency benefits — including CERB and CESB — in victims' names or diverted legitimate payments elsewhere.
Roughly $6m of the $8.7m covers those affected by the credential stuffing attacks between June 26 and Aug. 18, 2020.
Claimants can seek $20 per hour for lost time up to four hours, or up to $200 if fraudulent CERB claims were filed in their name, and up to $5,000 for out-of-pocket identity theft costs.
Any unclaimed funds go to the Privacy and Access Council of Canada.
The settlement is administered by KPMG.
