Tens of thousands of Canadian taxpayers have been targeted in data breaches at the Canada Revenue Agency since 2020, according to Canada's privacy watchdog. The CRA reported a total of 42,755 confirmed individual data breaches to the Office of the Privacy Commissioner of Canada (OPC) since 2020.
Privacy Commissioner Philippe Dufresne shared the report with Parliament on Thursday, concluding that there are "shortcomings" to the CRA's prevention, monitoring and detection, remediation, and governance. The breaches involved what the revenue agency describes as "unauthorized access, disclosure or use" of an individual's tax information by a third party.
Hackers used stolen or leaked information from external sources to gain access to taxpayers' accounts. "Bad actors also use legitimate information to modify individuals' accounts, presumably in an effort to file false tax returns, direct CRA payments to themselves or claim benefits," according to the OPC's report. Attackers can also make changes to accounts without directly accessing them, for example by filing a false tax return or updating information by impersonating taxpayers and passing challenge questions via a call centre.
The Privacy Commissioner noted that the CRA was unable to provide complete details of every confirmed data breach due to limitations in its tracking systems. Key criticisms include the agency's failure to implement mandatory multifactor authentication in a timely manner, and when it did, "it did not rely on the strongest methods according to industry best practices".
Despite relying on many monitoring tools, a majority of the CRA data breaches remained self-reported. Combined with the agency's inability to identify when and how each data breach occurred, Dufresne said this "raises questions about the effectiveness of the CRA's approach".
The commissioner made nine recommendations to the CRA, of which eight were accepted fully and one in part. In response, the revenue agency said it welcomes the commissioner's findings, stating that "the confidence and trust that individuals and businesses have in the CRA is a cornerstone of Canada's tax system" and that "the protection of taxpayer information is of the utmost importance to the CRA".
