Over 42,000 Data Breaches Affect Canadian Taxpayers' Accounts

Severity: High (Score: 67.5)

Sources: Wealthprofessional.Ca, Dailyhive

Summary

Since 2020, the Canada Revenue Agency (CRA) has reported over 42,000 data breaches affecting taxpayer accounts, as revealed by the Office of the Privacy Commissioner (OPC). The breaches, classified as Unauthorized Use of Taxpayer Information by a Third Party (UUTP), primarily involved attackers using stolen credentials from external sources. Hackers accessed accounts to file false tax returns, redirect payments, or impersonate taxpayers via call centers. The CRA's inability to track and report these breaches effectively raised significant governance concerns. The OPC's investigation highlighted the lack of mandatory multi-factor authentication until October 2021 and the agency's reliance on self-reported breaches. The CRA has accepted most of the OPC's nine recommendations for improvement. The report was presented to Parliament on May 7, 2026. Key Points: • Over 42,000 taxpayer accounts breached since 2020, primarily via stolen credentials. • CRA failed to implement mandatory multi-factor authentication until October 2021. • OPC's report highlighted significant governance and tracking deficiencies within the CRA.

Key Entities

• Credential Stuffing (attack_type)
• Data Breach (attack_type)
• Canada Revenue Agency (company)
• Government Of Canada (company)
• KPMG (company)
• Canada (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• T1078 - Valid Accounts (mitre_attack)
• Efile System (platform)
• My Account Portal (platform)