Privacy watchdog flags tax account breaches
The federal privacy watchdog says there have been more than 42,000 breaches at the Canada Revenue Agency since 2020 as a result of people gaining unauthorized access to, or modifying, taxpayer information.
In a special report tabled Thursday in Parliament, privacy commissioner Philippe Dufresne pointed to gaps in the revenue agency's prevention, monitoring, detection and handling of breaches.
The revenue agency told Dufresne's office that attackers, often using stolen or leaked credentials from external sources, were able to successfully gain access to taxpayers' accounts.
"Bad actors also use legitimate information to modify individuals' accounts, presumably in an effort to file false tax returns, direct CRA payments to themselves or claim benefits," the commissioner's report said.
"In addition, attackers can make changes to accounts without ever directly accessing a taxpayer account, for example, by filing a false tax return, or updating information on an account by impersonating and successfully passing challenge questions via a call centre."
Dufresne found the revenue agency couldn't provide details of every confirmed breach due to limitations in its tracking systems and the overall volume of incidents.
The commissioner's office said the agency did not implement mandatory multi-factor authentication — a means of helping people bolster account security — in a timely manner and did not consistently rely on methods considered to be best practices.
It also said the agency could not always adequately explain how attackers managed to bypass authentication processes.
The commissioner made nine recommendations for improvement, eight of which were accepted in full and one in part by the revenue agency.
In a statement Thursday, the revenue agency welcomed the commissioner's findings, saying they would ensure Canadians could continue to trust the agency to protect their personal information.
"The protection of taxpayer information is of the utmost importance to the CRA and in today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats," the statement said.
"The CRA continues to implement security measures, technologies, processes and controls to ensure the security of taxpayer information."
The agency said in an era of persistent threats, it regularly performs security assessments such as vulnerability scanning and risk analysis.
"While many incidents are identified through information provided by taxpayers, the CRA also uses automated monitoring, threat intelligence, and internal analysis to detect suspicious activity," the statement said. "We are committed to continually implementing additional lines of defence to protect taxpayer information."
This report by The Canadian Press was first published May 7, 2026.
By Jim Bronskill | Copyright 2026, The Canadian Press. All rights reserved.