Skip to content
Download Consolidated Credit's Free Debt Relief Guide
ES FR (844)-402-3073

How the CRA was hacked

Written by:
Personal Finance Writer
Posted on | by Sandy Yong (6 minutes read )

In the summer of 2023, more than 60,000 CRA accounts were hacked and used to submit fake tax returns, according to an investigation by CBC’s The Fifth Estate and Radio-Canada. Forty million dollars of fraudulent refunds were stopped part way when an investigation uncovered that the CRA was being duped.

From this fallout, the data breach has raised concerns about the safety of online personal information and how the federal government manages it. This is a fair concern since it’s reported that the CRA has lost an estimated $190 million due to scam artists since 2020. An alarming amount to say the least. In this article, we’ll explain how the CRA got hacked, how they are addressing the issue, and how you can protect your personal data.

What happened?

Hackers targeted the CRA by accessing its tax filers’ personal data. It’s unclear exactly where they breached the system to get the data. Some say it was through the CRA itself. Some say it was through the tax filing firm H&R Block. Neither organization is owning up to the issue. Both say their systems are secure and no breach happened.

The scam was straightforward. The hackers used stolen data to access CRA accounts they then changed bank account details and direct deposit information to ensure the fake refunds went to them. They then filed fake T4 slips to report a certain amount of income. With that done, they altered previous years’ tax returns to claim large tax deductions. Doing so allowed them to request millions of dollars in refunds. The CRA processed these claims without adequately checking the tax slips, allowing the scammers to collect the money.
Important personal information, such as social insurance numbers (SINs), credit card details, and bank account numbers, was exposed to hackers. Unfortunately, this has put many Canadians at risk of identity theft.

The fraud may not have been caught if it hadn’t been for CIBC. The bank flagged a hefty $10 million deposit and contacted the CRA. This led to the discovery of the massive scam.

How hackers gained access to CRA accounts

Most likely, the hackers used stolen usernames and passwords from previous data breaches. Many people use the same password for different accounts, which makes it easier for hackers to get away with these CRA scams.
Although using one password for many accounts may be convenient, you’re at risk for this type of attack. Hackers can use stolen login details on other sites, making you more susceptible to being a victim of fraud.
Sadly, the CRA didn’t have enough security checks during the breach. The fake refunds were processed without being correctly verified, allowing the scammers to take millions of dollars before they were caught.

What the CRA is doing to improve security

Here are several measures that the CRA implemented to safeguard users’ data:

Multi-factor authentication (MFA): The CRA now requires users to enable multi-factor authentication (MFA). This means you must enter a one-time code sent to your phone or email. As a result, this adds an extra layer of security to your account.

Mandatory email address: My Account users must have an email address on file with the CRA. Users will receive notifications about any account changes, such as address updates or direct deposit details. If a user receives an email about an update they did not allow, they should contact the CRA immediately.

Identity protection services: The CRA offers identity protection services to those affected by the hack. These services will help you regain control of your account and prevent further fraud.

Revoking compromised accounts: If a hacker is found to be accessing an account, the CRA will lock it temporarily. You will then be contacted with steps to verify your identity and restore your account.

How to protect your personal information

These are some common strategies to help you safeguard your sensitive data.  

Use strong, unique passwords

Use strong and unique passwords to protect your CRA account and other online accounts. A password manager or a password generator can help you create strong passwords that are unique to each account.

Enable multi-factor authentication (MFA)

Even if your password is compromised, having multi-factor authentication turned on will make it harder for hackers to access your account.

Check your bank account and credit card information

Review your bank account and credit card statements regularly for unauthorized transactions. If you notice anything suspicious, report it to your bank or credit card company right away.

Install antivirus software

It’s good practice to have antivirus software installed on your computer and mobile devices. This helps stop hackers from installing malware to steal your personal data.

Use security software and a virtual private network (VPN)

Using security software and a VPN can protect your personal data when browsing the internet. Basically, a VPN creates a secure connection between your device and the internet. This makes it harder for hackers to intercept and steal your data.

Be cautious of phishing emails and text messages

Hackers often use phishing emails and text messages to steal personal information. If you get unsolicited messages asking for sensitive information such as credit card numbers, verify the sender before responding. Remember, the CRA will never ask for this information by email.

Tips on dealing with a hacked CRA account

If your CRA account becomes compromised, here are the steps you can take to resolve this issue: 

Report fraud immediately: If you believe your CRA account has been hacked and noticed suspicious activity, report it to the CRA promptly. An agent will guide you through the steps to restore your account and protect your data.

Change your password: If you think your account has been hacked, change your password immediately. Additionally, update any security questions and make sure they’re hard for hackers to guess the answers.

Contact your bank: If your bank account or credit card details were exposed or your information changed, notify your bank as soon as possible. They can freeze your account to prevent further fraudulent transactions. If necessary, they can issue new account numbers.

Inform your credit bureau: Your credit score and credit history should be monitored closely by Equifax or TransUnion if you think that a scammer has gained access to your financial information. 

Report misuse of your Social Insurance Number (SIN): If you suspect that someone has stolen or misused your SIN, you should report it to Service Canada.  

Notify the Canadian Anti-Fraud Centre (CAFC): After you’ve notified the CRA about your compromised account, it’s also important to report the incident to the CAFC

Scan for malware: If your computer or mobile device was infected with malware, consider using a virus removal service. This will help remove any harmful software that may have been used to steal your sensitive data.

Secure your personal data

The CRA hack was a wake-up call for Canadians about protecting personal information online. While the CRA is taking steps to improve security and prevent future breaches, you should take action too. 

You can help protect your personal data from hackers by using strong passwords, enabling multi-factor authentication, and staying alert for phishing scams.

If you’re managing debt, being a target of fraud can make it more challenging. Take steps to protect your personal information and focus on strategies to pay off your debt. Contact one of our trained Credit Counsellors for personalized advice on the best debt relief solutions. 

What is your total credit card debt amount?

Provide a few details about yourself.

##first_name##, here are your next steps...

Get a clear picture of your spending vs. your income. Begin your online budget and financial analysis now by clicking the button above.

Our experts are here to help you understand your options and reach your goals. After you complete the easy-to-use online budget, one of our trained counsellors will reach out to you and provide recommendations.

Everything shared is 100% confidential and secure.

I understand and agree that by choosing “Start your online budget now”, I am voluntarily providing certain personal financial information in order to educate myself as to my current financial position. I understand that this budget tool is educational in nature, and that none of the information received in the form of a budget constitutes financial advice, nor does it constitute a counselling session. I understand and agree that the budget depends on the information I input into the fields, and that Company does not represent or guarantee the accuracy of the budget. I understand that this tool may collect information and should I choose not to provide such information, I am not to proceed further. If I choose to abandon the tool midway through the process, I understand that the information will not be maintained and I would be required to start providing the information from the beginning. Company disclaims all warranties associated with the budget tool herein. I understand and agree that Company may use the contact information provided herein to contact me through various means of communications, including automated messages, and that I expressly consent to receive these messages.

Consolidated Credit Counseling Services of Canada Inc BBB accredited business profile
BBB RATING: A+
Go to our Trustpilot reviews page

Related

Investment account

CIPF: A saftey net for investment accounts

Fraudulent

Fraudulent financial activity in Canada: What it is and what you can do about it

Consumer protection laws

Consumer protection laws protecting your credit card information

Banking in Canada

Banking in Canada: How safe is my money?

News Archive