Over 42,000 Data Breaches Affect Canadian Taxpayers' Accounts

Over 42,000 Data Breaches Affect Canadian Taxpayers' Accounts

First seen 11 May 2026, 13:34 UTC DailyhiveWealthprofessional.CaIapp 89% similarity 67.5

Article Content

Browse articles
ThreatCluster

Since 2020, the Canada Revenue Agency (CRA) has reported over 42,000 data breaches affecting taxpayer accounts, as revealed by the Office of the Privacy Commissioner (OPC). The breaches, classified as Unauthorized Use of Taxpayer Information by a Third Party (UUTP), primarily involved attackers using stolen credentials from external sources. Hackers accessed accounts to file false tax returns, redirect payments, or impersonate taxpayers via call centers. The CRA's inability to track and report these breaches effectively raised significant governance concerns. The OPC's investigation highlighted the lack of mandatory multi-factor authentication until October 2021 and the agency's reliance on self-reported breaches. The CRA has accepted most of the OPC's nine recommendations for improvement. The report was presented to Parliament on May 7, 2026.

Key Points: • Over 42,000 taxpayer accounts breached since 2020, primarily via stolen credentials. • CRA failed to implement mandatory multi-factor authentication until October 2021. • OPC's report highlighted significant governance and tracking deficiencies within the CRA.

ThreatCluster AI

Timeline

2024-10
OPC investigation launched
The Office of the Privacy Commissioner began investigating the CRA after media reports of account breaches surfaced.
Wealthprofessional.Ca
2026-05-07
OPC report submitted to Parliament
Privacy Commissioner Philippe Dufresne presented findings on CRA's data breach handling, confirming over 42,000 incidents.
Wealthprofessional.Ca
2026-05-09
CRA acknowledges OPC findings
The CRA welcomed the OPC's report and emphasized ongoing efforts to enhance security measures.
Dailyhive

Community

Browse all →