Canada’s privacy watchdog said in a special report to Parliament on Thursday that there had been more than 42,000 confirmed individual data breaches at the Canada Revenue Agency since 2020.
These breaches led to unauthorized access to confidential tax and personal information, often perpetrated by “bad actors with the objective of financial gain,” according to the report.
Federal privacy commissioner Philippe Dufresne said in the report that given the number of breaches, the Canada Revenue Agency (CRA) failed to adequately protect the personal information that was under its control and went on to make nine recommendations to the agency for improvement.
Here’s what you need to know about the CRA account breaches and what comes next:
How do I know if my data was accessed?
Dufresne noted in the report that the CRA could not provide the details of every account breach that was confirmed, due to tracking limitations and the overall volume of incidents.
The CRA says that it directly informs individuals or businesses it suspects have been the victim of a security incident.
“As soon as the CRA becomes aware of an alleged incident of identity theft or suspects your account was targeted, we take swift and immediate precautionary measures,” the agency said on its website.
“The CRA may send letters by registered mail to individuals and businesses who have been affected by incidents of suspected unauthorized access. The letter provides information on how to validate your identity to restore access to your account. You should follow the instructions in the letter.”
The CRA says it also directly contacts anyone it believes may have been the victim of identity theft and provides details on how to validate their account and personal information on file.
What kind of data was accessed?
The privacy commissioner’s report said that a breach was considered any unauthorized access to an individual taxpayer’s account, either by phone or online through the CRA’s My Account service.
The report didn’t specifically note what information was targeted in each account breach, however once attackers gained access to an account, they would have had access to things like an individual’s social insurance number, home address and detailed tax information.
Breaches “can be linked to an incident where only a single account is impacted, or linked to a complex case where multiple taxpayers’ accounts are impacted,” the report said.
What has the CRA said?
The CRA said in a statement Thursday that it welcomed the findings in the privacy commissioner’s report.
“The protection of taxpayer information is of the utmost importance to the CRA and in today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats,” the statement read.
“The CRA continues to implement security measures, technologies, processes and controls to ensure the security of taxpayer information.”
What should I do if I suspect my CRA account was breached?
The CRA says that you should contact the agency immediately if you suspect unauthorized access to your account, notice changes to it that you did not make, or if you received a notice claiming to be from the CRA that shows any account changes you were not aware of.
Once the CRA confirms that your account has been compromised, the agency will temporarily disable access to it and contact you by phone or by letter mail with instructions on how to validate your identity and regain account access.
The CRA says it will then assess whether you’re entitled to free-of-charge credit protection and will stop sending any benefit or credit payments until your identity has been verified, while assisting in restoring personal information and ensuring you aren’t held liable for any fraudulent claims.
How can I protect my CRA account going forward?
The CRA says taxpayers should monitor their accounts closely and regularly, looking for any unexpected changes to things like mailing address, bank or direct deposit details, or authorized representatives.
The CRA also suggests changing your online password regularly.
“For added security, never use the same password for your various online accounts. For example, use different passwords for your CRA account and your online banking accounts,” the agency says on its website. “Make sure your passwords are complex and difficult for others to guess.”
Privacy commissioner’s recommendations
In Thursday’s report, the privacy commissioner made nine recommendations to the CRA, eight of which were fully accepted by the agency, with one being accepted in part.
The recommendations focus on strengthening account protections, such as increasing multi-factor authentication and over-the-phone clearance standards.
The recommendations also direct the agency to improve its tracking of future breaches, while also ensuring “that its monitoring and detection approach is tailored to the threats and risks” posed by bad actors.
“We are of the view that more actions should be taken to ensure that the (CRA) has in place a coordinated, proactive approach to protecting taxpayers’ accounts,” the report read.
With files from The Canadian Press
Correction
This article has been updated to reflect that Canadians are assigned social insurance numbers, rather than social security numbers.
