Canada's privacy watchdog calls for urgent action after nearly 45,000 tax account breaches reported since 2020

Canada’s privacy watchdog is urging authorities to strengthen cybersecurity measures after more than 42,000 tax account breaches were reported at the Canada Revenue Agency (CRA) since 2020, according to The Canadian Press. The alarming figure has raised concerns about the safety of sensitive taxpayer information and the growing threat of online fraud. Officials warned that weak security systems could leave more Canadians vulnerable to identity theft and financial scams. The watchdog is now calling for urgent improvements in data protection, faster responses to security incidents, and stronger safeguards for government accounts.

In a special report presented in Parliament on Thursday, Privacy Commissioner Philippe Dufresne highlighted several weaknesses in the Canada Revenue Agency’s ability to prevent, detect, monitor, and respond to security breaches. According to the agency, cybercriminals were able to access taxpayer accounts by using stolen or leaked login credentials obtained from outside sources.

"Bad actors also use legitimate information to modify individuals' accounts, presumably in an effort to file false tax returns, direct CRA payments to themselves or claim benefits," the commissioner's report said as quoted by The Canadian Press.


"In addition, attackers can make changes to accounts without ever directly accessing a taxpayer account, for example, by filing a false tax return, or updating information on an account by impersonating and successfully passing challenge questions via a call centre."

According to Dufresne, the CRA struggled to provide complete information on all confirmed security breaches because of weaknesses in its tracking systems and the large number of incidents reported. The privacy commissioner’s office also criticized the agency for delaying the rollout of mandatory multi-factor authentication, a key security feature designed to better protect user accounts. According to the report, the agency did not always follow widely accepted cybersecurity standards.

Officials further noted that the revenue agency was sometimes unable to clearly determine how hackers successfully got past authentication safeguards and accessed taxpayer accounts.

The commissioner proposed nine measures aimed at improving security and privacy protections. The Canada Revenue Agency fully agreed to eight of the recommendations, while partially accepting one.

In a statement Thursday, the revenue agency welcomed the commissioner's findings, saying they would ensure Canadians could continue to trust the agency to protect their personal information.

"The protection of taxpayer information is of the utmost importance to the CRA and in today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats," the statement said as quoted by the outlet.

"The CRA continues to implement security measures, technologies, processes and controls to ensure the security of taxpayer information."