Canada's NDP

NDP

November 13th, 2024

CRA Hack Needs a Thorough Investigation

CBC’s The Fifth Estate recently broke the news that the Canada Revenue Agency had discovered that hackers had managed to obtain confidential data on taxpayers used by private tax firm H&R Block. Fraudsters then used the confidential information, including H&R Block’s confidential credentials to log into the personal CRA accounts of thousands of individuals. What does this mean for most Canadians, why hasn’t the CRA made this information public, how much money has been fraudulently paid, and for those who have been hit with fraud, what can be done to protect them?

The scam, for the most part, works like this. Hackers obtained EFile credentials for Canadian taxpayers, generally those who used a third-party to gain delegated access credentials, which means someone other than the taxpayer themselves had filed tax returns on behalf of someone else. This is a common practice for a tax filing agency such as H&R Block. Hackers would then use these credentials to log into an individuals CRA account and change account information, predominantly direct deposit information. Hackers would then file a false tax return. CRA would then send funds for the return, which happened before CRA would notice the scam. The hack would affect tens of thousands of Canadians, and CRA paid out millions to those committing fraud before it was noticed.

It's all very frustrating and harms the reputation of a government agency that is supposed to be, more so than perhaps any other government agency, above reproach. In a prepared statement, H&R Block stated that there is no evidence that they were responsible for the breach of taxpayer data. The CRA has denied a breach of its own systems and also deny that it was the work of an insider. While this particular data breach and subsequent fraud are troubling on their own, the CRA recently admitted to more than 31,468 "material" privacy breaches between March 2020 and December 2023. CRA would later admit to $190 million being issued to confirmed cases involving privacy breaches between 2020 and October 20204. Most of that sum were lost during the first year of the Covid-19 pandemic, but the breach involving the supposed H&R Block data list alone resulted in some $6 million in fraudulent payments. They did prevent another $14 million from being paid out as part of this breach, but the question remains why the fraud wasn’t caught sooner.

It’s also reasonable to ask why CRA staff, leadership, and by extension the Minister, weren’t more forthcoming with the details of the breach. In fact, it should go without saying that CRA needs to ensure that action be taken to combat breaches of Canadians’ confidential tax information. The vast majority of Canadians pay their fair share of taxes. Taxpayers have a trust relationship with their tax-collection agency, and they need to trust that the CRA takes tax fraud, in all its forms, seriously. We know that scammers, hackers, and fraudsters are becoming more sophisticated. We need CRA to adapt to that reality.

In order to ensure this type of thing doesn’t happen again, we need to get to the bottom of how it happened in the first place. New Democrats have been calling for a parliamentary inquiry into the CRA’s mishandling of tax fraud and tax cheating. It’s important to hear from CRA staff and leadership, experts in tax collection, the privacy commissioner, and experts in cyber-security and data leaks to ensure that Canadians can retain their trust that the CRA is doing everything in its power to prevent fraud from happening.

The government needs to bolster the CRA to ensure they have the resources necessary to go after tax frauds, and to chase after potential breaches. While there is a justifiable focus on those who have been misappropriating money from CRA, we also need the resources to go after people who defraud the government from the other end such as those Canadians who hide their money in offshore accounts, like we’ve previously found in the Panama and Paradise Papers. Most Canadians understand that we have to pay our fair share in taxes, but also expect that remittance aren’t going to someone who obtained it through fraudulent means.