In the midst of this year’s tax season, the Canada Revenue Agency discovered that hackers had obtained sensitive data used by H&R Block Canada, one of the country’s largest tax preparation companies.
According to a CBC investigation, fraudsters used the company’s confidential credentials to gain unauthorized access to hundreds of Canadians’ personal CRA accounts, change direct deposit information, file false tax returns, and make public disclosures. He is said to have obtained more than $6 million in fake refunds from his own funds. fifth estate And Radio-Canada discovered it.
In one case, hackers filed a return using a legitimate zip code, but listed a fake address on Tomato Street, which doesn’t exist.
“Obviously the door is open and some people are getting into the system,” Andre Lareau, an associate tax professor at Université Laval in Quebec City, said in an interview. “But it appears the CRA couldn’t find the key to lock the door.”
Officials said the CRA contacted the office of Revenue Minister Marie-Claude Bibeau in response to the crisis.
The agency has set up a media line in case questions arise about the H&R Block data breach or why the agency paid millions of dollars to fraudsters.
In the end, the public was never informed about this plan.
Bibeau refused. fifth estate/Interview request from Radio-Canada.
H&R Block said in a statement that there is no evidence that the leak was caused by it.
The tax office said a “comprehensive internal investigation” concluded that none of the company’s “data, systems, software or security” had been compromised. H&R Block said it was not aware that any of the Canadian taxpayers affected by the breach were its customers.
The CRA was unable to identify the hacker, but ruled out a breach of its own systems or insider involvement, the people said. After all, it remains unclear who hacked that data and from where.
Neither the Secretary of Revenue nor the CRA’s press office responded to questions about the H&R Block data breach.
fifth estate Radio-Canada is not identifying the sources because they are not authorized to speak publicly.
Significant increase in reports of violations to Congress
research by fifth estate And Radio-Canada has revealed that the H&R Block data breach is just one example of many cases overwhelming the CRA. Auditors and investigators are concerned that the public will lose confidence in government agencies tasked with protecting taxpayers’ money and personal information.
As government agencies scramble internally to deal with so-called threat actors, fifth estate/ A Radio-Canada investigation finds the public was largely kept in the dark about the staggering amount of money stolen and the authorities’ major shortcomings in detecting fraud.
Mr Lareau said a parliamentary inquiry should be launched to determine the “scale” of the problem and force answers from the CRA and ministers.
“They should all tell us exactly what happened. [and] “How much money is involved?” he said.
The CRA is also required to report “material” violations of taxpayer accounts to the Privacy Commissioner, who reports directly to Congress.
In its report to Congress in June, the Privacy Commission reported that there were 71 breaches at the CRA in the fiscal year ending March 31, 2024. There were 42 reported privacy violations in the past three years.
Since then, that number has exploded.
In response to a question from fifth estateAccording to /Radio-Canada, the CRA admitted it suffered more than 31,468 “serious” privacy breaches between March 2020 and December 2023, impacting 62,000 Canadian individual taxpayers.
Congress has not been notified
Privacy Commissioner Philippe Dufresne also declined to be interviewed.
In an email, his office defended the decision to exclude the significant increase in privacy violations from a June 2024 report to lawmakers. The comptroller’s office justified the decision by saying the CRA would submit the information after the March 2024 reporting period and include the new numbers in next year’s annual report.
The CRA said it only retroactively reported 31,468 privacy violations.
In response to questions from fifth estate/Radio-Canada, the agency says “unauthorized third parties” access Canadians’ tax accounts, change direct deposit information, create “fraudulent tax information slips” and file fraudulent returns. It said it had noticed a “significant increase in external data breaches and cyber threats.”
The CRA said it takes the protection of Canadians’ tax information “very seriously” and that individual taxpayers will be notified and provided “credit protection where appropriate” if a breach occurs. He said there was.
The CRA did not say when or how it learned that the number of privacy violations had been underreported to Congress, nor did it break down the total number reported by year.
In 2020, the Treasury Committee reported that the CRA cyber attacks of the year were brought under control. In 2022, a judge in a federal privacy violation class action lawsuit concluded that direct deposit information for 12,700 CRA accounts had been changed by fraudsters.
In a second statement issued Friday evening, the CRA said it incorrectly authorized more than $190 million in bogus payments related to “confirmed” privacy breach incidents from 2020 to early October 2024. Announced.
The agency said most of the cases occurred in 2020 during the height of the COVID-19 pandemic and have “significantly declined” in recent years.
The agency said in a statement that it paid out a total of $3 million to fraudsters in 2024. That figure seems at odds with the $6 million lost in this year’s H&R Block data breach alone, officials said.
Sources say the CRA has a backlog of suspected cases that have not yet been reported as “confirmed” cases.
H&R Block credentials compromise microcosm
Not all plans against the CRA involved privacy violations. Scammers often use their accounts to make false claims.
Sources say the incident involving H&R Block is a sign of an overwhelmed, under-resourced and outmaneuvered government agency where hackers and fraudsters are taking advantage of the CRA’s failure to detect numerous tax return frauds. It is said to be a microcosm.
Complicating the agency’s efforts to crack down on fraudulent returns, officials say, is what is known as a “pay and chase” culture within the CRA, which involves giving people their tax refunds as soon as possible and giving them back later. It is said to be a deliberate policy to audit discrepancies.
Lareau said the CRA likes to promote its “image” as an “efficient” agency that collects returns “as quickly as possible.”
This approach leaves a gaping hole for fraudsters to thrive, officials said. fifth estate/Radio Canada.
Officials first realized something was wrong in April when they noticed a dark web post purporting to sell illegally obtained H&R Block data.
The hackers had obtained H&R Block’s e-filing credentials provided by the CRA, a confidential electronic key used by the company’s accountants to file returns on behalf of taxpayers.
Ultimately, the stolen H&R Block information helped impostors access Canadians’ tax returns, change banking information and even addresses, and claim fake refunds and tax credits. has become clear.
Officials said the CRA noticed multiple unrelated fake refunds made to the same bank account.
CRA auditors concluded that after being tricked into paying more than $6 million in 2024, they prevented an additional $14 million from being paid to fraudsters.
Lack of communication within and outside the agency
Officials said the CRA does not necessarily share sensitive information with financial institutions even if it suspects fraudsters are using a bank account.
Officials added that authorities were also concerned that a lack of internal communication would delay the hunt for the hackers.
The CRA said in a statement that the spike in reported breaches dates back to 2020 and the introduction of the COVID-19 emergency benefit. The agency said it responded by increasing protections for individual taxpayer accounts and securing online services.
A CRA spokesperson said that in the event of a breach, “processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts.”
“As fraudsters adapt their methods, the CRA adapts,” said agency spokeswoman Kim Tiffall.
- If you have a tip about the topic of this article, please email Harvey.Cashore@cbc.ca or Daniel.Leblanc@cbc.ca or call 416-526-4704.
