Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds CBC News

pAt the height of this years tax season the Canada Revenue Agency discovered that hackers had obtained confidential data used by one of the countrys largest tax preparation firms HR Block CanadappImposters used the companys confidential credentials to get unauthorized access into hundreds of Canadians personal CRA accounts change direct deposit information submit false returns and pocket more than 6 million in bogus refunds from the public purse an investigation by CBCs The Fifth Estate and RadioCanada has foundppIn one case the hackers filed a return with a legitimate postal code but a fake address on a nonexistent Tomato StreetppObviously the door is open and some people are infiltrating the system André Lareau an associate tax professor at Laval University in Quebec City said in an interview But the CRA does not seem to have found the key to lock the doorppAccording to sources the crisis prompted the CRA to contact the office of Revenue Minister MarieClaude BibeauppThe agency prepared media lines to respond to inquiries should there be questions about the breach of HR Block data and why the agency paid out millions to scammersppIn the end the public was never alerted to the schemeppBibeau declined The Fifth EstateRadioCanadas request for an interviewppIn a statement HR Block said there is no evidence the breach came from itppThe tax firm said a comprehensive internal investigation concluded none of its data systems software and security had been compromised HR Block said it is not aware that the Canadian taxpayers impacted by the breach were any of its own clientsppAccording to sources the CRA failed to identify the hackers but ruled out the possibility of a breach of its own systems or insider involvement Ultimately who hacked that data and where from remains unknownppBoth the revenue minister and CRAs media relations office did not respond to questions about the HR Block data breachppThe Fifth Estate and RadioCanada are not identifying the sources because they are not authorized to speak publiclyppThe investigation by The Fifth Estate and RadioCanada has found that the HR Block data breach is just one example of many that are overwhelming the CRA as auditors and investigators worry the public might lose trust in the agency tasked with safeguarding its taxpayer dollars and personal informationppAs the agency scrambles internally to deal with socalled threat actors The Fifth EstateRadioCanada investigation has found the public is mostly being kept in the dark about the staggering amounts stolen and the gaping flaws in the agencys ability to detect fraudppLareau said a parliamentary inquiry should be struck to determine the magnitude of the problem and to compel answers from the CRA and the ministerppThey all should tell exactly what happened and how much money is involved he saidppThe CRA also has a duty to report material breaches of taxpayer accounts to the Privacy Commissioner who reports directly to ParliamentppIn a report to Parliament in June the privacy commissioner reported 71 breaches at the CRA in the fiscal year ending March 31 2024 In the previous three years 42 privacy breaches had been reportedppThose numbers have since exploded ppIn answers to questions from The Fifth EstateRadioCanada the CRA admitted it has been hit with more than 31468 material privacy breaches from March 2020 to December 2023 affecting 62000 individual Canadian taxpayersppPrivacy Commissioner Philippe Dufresne also declined an interview ppIn an email his office defended the decision to leave the massive increase in privacy breaches out of his June 2024 report to MPs The commissioners office justified the decision by saying the CRA sent the information after the March 2024 reporting period and that he will include the new numbers in next years annual reportppFor its part the CRA said it only reported the 31468 privacy breaches retroactivelyppIn response to questions from The Fifth EstateRadioCanada the agency said it noticed a marked increase in external data breaches and cyberthreats where unauthorized third parties accessed Canadians tax accounts changed direct deposit information produced fraudulent tax information slips and filed fraudulent returnsppThe CRA said individual taxpayers are informed when a breach occurs that they are offered credit protection as required and that it takes the protection of Canadians tax information very seriouslyppThe CRA would not answer how and when it first learned that the number of privacy breaches was being underreported to Parliament nor did it break down the total numbers reported by yearppCRA paid millions in bogus tax refunds after hackers accessed thousands of accountsppIn 2020 the Treasury Board reported that CRA cyberattacks that year had been brought under control In 2022 a judge in a classaction lawsuit over federal government privacy breaches concluded that direct deposit information had been changed by scammers in 12700 CRA accountsppIn a second statement sent Friday evening the CRA said it had mistakenly authorized more than 190 million in bogus payments connected to confirmed cases of privacy breaches between 2020 and early October 2024ppThe agency said most of those occurred in 2020 amid the COVID19 pandemic and that there has been a drastic reduction in more recent yearsppIn its statement the agency said it paid out a total of 3 million in 2024 to imposters a figure that appears at odds with the 6 million lost in this years HR Block data breach alone according to sourcesppAccording to sources the CRA has a backlog of suspicious cases that have not yet been reported as confirmed casesppNot all schemes against the CRA involved privacy breaches Scammers often use their own accounts to make bogus claimsppAccording to sources the case involving HR Block is a microcosm of an overwhelmed underresourced and outmanoeuvred agency where hackers and scammers thrive on the CRAs inability to detect a multitude of tax return frauds ppComplicating the agencys efforts to crack down on fraudulent returns sources say is what is known inside the CRA as a pay and chase culture a deliberate policy to get out tax refunds to the public as fast as possible and audit discrepancies laterppLareau said the CRA likes to promote an image of an efficient agency that gets out returns as quickly as possible ppThat approach leaves a gaping hole for fraudsters to flourish sources have told The Fifth EstateRadioCanadappIt appears agency officials initially discovered something was wrong after noticing postings on the dark web in April offering to sell illegally obtained HR Block datappHackers had obtained HR Block efiling credentials provided by the CRA in essence the confidential electronic keys used by the firms accountants to file returns on behalf of taxpayersppIt eventually became clear that the stolen HR block information helped imposters gain access to Canadians tax returns change banking information and even their addresses in order to claim bogus refunds and tax creditsppAccording to sources the CRA realized that it had issued multiple unrelated bogus refunds to the same bank accountppCRA auditors concluded that they were duped into paying out more than 6 million in 2024 before stopping another 14 million from being paid out to impostersppAccording to sources the CRA does not always share key information with financial institutions even when it suspects fraudsters are using one of their bank accountsppSources added the agency also worried that a lack of internal communication slowed down the hunt for the hackersppIn its statement the CRA said the sharp rise in reported breaches goes back to 2020 and the introduction of COVID19 emergency benefits The agency said it has responded by offering greater protection to individual taxpayer accounts and safeguarding its online servicesppA CRA spokesperson stated that processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts in the event of a breachppAs scammers adapt their practices so does the CRA said agency spokesperson Kim ThiffaultppThe Fifth EstateppHarvey Cashore is an investigative reporter with the CBCs weekly investigative program The Fifth EstateppAudience Relations CBC PO Box 500 Station A Toronto ON Canada M5W 1E6 ppTollfree Canada only 18663064636ppIt is a priority for CBC to create products that are accessible to all in Canada including people with visual hearing motor and cognitive challengesppClosed Captioning and Described Video is available for many CBC shows offered on CBC Gemppp