Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds
Agency admits it vastly underreported cyberattacks against Canadian taxpayers to Parliament
At the height of this year's tax season, the Canada Revenue Agency discovered that hackers had obtained confidential data used by one of the country's largest tax preparation firms, H&R Block Canada.
Imposters used the company's confidential credentials to get unauthorized access into hundreds of Canadians' personal CRA accounts, change direct deposit information, submit false returns and pocket more than $6 million in bogus refunds from the public purse, an investigation by CBC's The Fifth Estate and Radio-Canada has found.
In one case, the hackers filed a return with a legitimate postal code, but a fake address on a non-existent Tomato Street.
"Obviously the door is open and some people are infiltrating the system," André Lareau, an associate tax professor at Laval University in Quebec City, said in an interview. "But the CRA does not seem to have found the key to lock the door."
According to sources, the crisis prompted the CRA to contact the office of Revenue Minister Marie-Claude Bibeau.
The agency prepared media lines to respond to inquiries should there be questions about the breach of H&R Block data and why the agency paid out millions to scammers.
In the end, the public was never alerted to the scheme.
Bibeau declined The Fifth Estate/Radio-Canada's request for an interview.
In a statement, H&R Block said there is no evidence the breach came from it.
The tax firm said a "comprehensive internal investigation" concluded none of its "data, systems, software and security" had been compromised. H&R Block said it is not aware that the Canadian taxpayers impacted by the breach were any of its own clients.
According to sources, the CRA failed to identify the hackers, but ruled out the possibility of a breach of its own systems or insider involvement. Ultimately, who hacked that data and where from remains unknown.
Both the revenue minister and CRA's media relations office did not respond to questions about the H&R Block data breach.
The Fifth Estate and Radio-Canada are not identifying the sources because they are not authorized to speak publicly.
Massive rise in reported breaches to Parliament
The investigation by The Fifth Estate and Radio-Canada has found that the H&R Block data breach is just one example of many that are overwhelming the CRA, as auditors and investigators worry the public might lose trust in the agency tasked with safeguarding its taxpayer dollars and personal information.
As the agency scrambles internally to deal with so-called threat actors, The Fifth Estate/Radio-Canada investigation has found the public is mostly being kept in the dark about the staggering amounts stolen and the gaping flaws in the agency's ability to detect fraud.
Lareau said a parliamentary inquiry should be struck to determine the "magnitude" of the problem — and to compel answers from the CRA and the minister.
"They all should tell exactly what happened [and] how much money is involved," he said.
The CRA also has a duty to report "material" breaches of taxpayer accounts to the Privacy Commissioner, who reports directly to Parliament.
In a report to Parliament in June, the privacy commissioner reported 71 breaches at the CRA in the fiscal year ending March 31, 2024. In the previous three years, 42 privacy breaches had been reported.
Those numbers have since exploded.
In answers to questions from The Fifth Estate/Radio-Canada, the CRA admitted it has been hit with more than 31,468 "material" privacy breaches from March 2020 to December 2023, affecting 62,000 individual Canadian taxpayers.
Parliament not informed
Privacy Commissioner Philippe Dufresne also declined an interview.
In an email, his office defended the decision to leave the massive increase in privacy breaches out of his June 2024 report to MPs. The commissioner's office justified the decision by saying the CRA sent the information after the March 2024 reporting period, and that he will include the new numbers in next year's annual report.
For its part, the CRA said it only reported the 31,468 privacy breaches retroactively.
In response to questions from The Fifth Estate/Radio-Canada, the agency said it noticed a "marked increase in external data breaches and cyberthreats" where "unauthorized third parties" accessed Canadians' tax accounts, changed direct deposit information, produced "fraudulent tax information slips" and filed fraudulent returns.
The CRA said individual taxpayers are informed when a breach occurs, that they are offered "credit protection as required" and that it takes the protection of Canadians' tax information "very seriously."
The CRA would not answer how and when it first learned that the number of privacy breaches was being underreported to Parliament, nor did it break down the total numbers reported by year.
In 2020, the Treasury Board reported that CRA cyberattacks that year had been brought under control. In 2022, a judge in a class-action lawsuit over federal government privacy breaches concluded that direct deposit information had been changed by scammers in 12,700 CRA accounts.
In a second statement sent Friday evening, the CRA said it had mistakenly authorized more than $190 million in bogus payments connected to "confirmed" cases of privacy breaches between 2020 and early October 2024.
The agency said most of those occurred in 2020 amid the COVID-19 pandemic and that there has been a "drastic reduction" in more recent years.
In its statement, the agency said it paid out a total of $3 million in 2024 to imposters — a figure that appears at odds with the $6 million lost in this year's H&R Block data breach alone, according to sources.
According to sources, the CRA has a backlog of suspicious cases that have not yet been reported as "confirmed" cases.
H&R Block credentials breach a microcosm
Not all schemes against the CRA involved privacy breaches. Scammers often use their own accounts to make bogus claims.
According to sources, the case involving H&R Block is a microcosm of an overwhelmed, under-resourced and outmanoeuvred agency where hackers and scammers thrive on the CRA's inability to detect a multitude of tax return frauds.
Complicating the agency's efforts to crack down on fraudulent returns, sources say, is what is known inside the CRA as a "pay and chase" culture — a deliberate policy to get out tax refunds to the public as fast as possible and audit discrepancies later.
Lareau said the CRA likes to promote an "image" of an "efficient" agency that gets out returns "as quickly as possible."
That approach leaves a gaping hole for fraudsters to flourish, sources have told The Fifth Estate/Radio-Canada.
It appears agency officials initially discovered something was wrong after noticing postings on the dark web in April offering to sell illegally obtained H&R Block data.
Hackers had obtained H&R Block e-filing credentials provided by the CRA — in essence the confidential electronic keys used by the firm's accountants to file returns on behalf of taxpayers.
It eventually became clear that the stolen H&R block information helped imposters gain access to Canadians' tax returns, change banking information and even their addresses in order to claim bogus refunds and tax credits.
According to sources, the CRA realized that it had issued multiple, unrelated bogus refunds to the same bank account.
CRA auditors concluded that they were duped into paying out more than $6 million in 2024, before stopping another $14 million from being paid out to imposters.
Lack of communication inside, outside agency
According to sources, the CRA does not always share key information with financial institutions, even when it suspects fraudsters are using one of their bank accounts.
Sources added the agency also worried that a lack of internal communication slowed down the hunt for the hackers.
In its statement, the CRA said the sharp rise in reported breaches goes back to 2020 and the introduction of COVID-19 emergency benefits. The agency said it has responded by offering greater protection to individual taxpayer accounts and safeguarding its online services.
A CRA spokesperson stated that "processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts" in the event of a breach.
"As scammers adapt their practices, so does the CRA," said agency spokesperson Kim Thiffault.
- If you have any tips on this story topic, email Harvey.Cashore@cbc.ca or Daniel.Leblanc@cbc.ca or call 416-526-4704.