CRA paid out millions in illegitimate tax refunds to hackers 

By Quinn Patrick

Online hackers managed to access the personal financial data of hundreds of Canadians through the tax preparation company H&R Block to scam the Canada Revenue Agency out of millions of dollars.

An investigation conducted by CBC’s The Fifth Estate and Radio-Canada found that imposters were able to hack into the company’s database, change customers’ direct deposit information and submit false returns to make off with over $6 million in fraudulent refunds. 

One case even involved hackers using a fake address called Tomato Street to get a refund with the help of a legitimate postal code. 

Despite the CRA being notified of the breach, the agency failed to notify the public of the scam.

“The delays in reporting these breaches from between March 2020 to December 2023 can be attributed to the need to develop a reporting process for these types of privacy breaches, and the fact we prioritized protecting the accounts and advising affected taxpayers,” CRA spokesperson Sylvie Branch told True North.

“They can also be attributed to external factors beyond the CRA’s control, such as difficulty in contacting taxpayers to confirm the breach.”

H&R Block released a statement in response to the investigation claiming that there was no evidence that they were responsible for the security breach following a “comprehensive internal investigation.”

The tax preparation company said that none of its “data, systems, software and security” had been compromised and that to its knowledge, none of the affected taxpayers were H&R Block clients.

While the CRA has yet to identify any of the hackers, sources who spoke with The Fifth Estate on anonymity say it ruled out the possibility that the breach came from within its own database system nor was it the result of insider involvement. 

There have been 71 security breaches at the CRA in the fiscal year ending March 31, 2024, according to a report by the privacy commissioner. 

However, there were only 42 breaches in the previous three years, revealing that the threat posed by cyber hackers is growing exponentially. 

The CRA admitted during an interview with The Fifth Estate that it dealt with more than 31,468 “material” privacy breaches from March 2020 to December 2023, affecting 62,000 individual Canadians.

“We have made strategic investments to proactively detect, report, and address external fraud and the unauthorized use of taxpayer information by a third party (UUTP),” said Branch. “These UUTP breaches often involve personal information, in most cases obtained from external sources, used to help bypass existing security measures to access or modify taxpayer information.”

Privacy Commissioner Philippe Dufresne told CBC News in an email that his office chose to omit the massive increase in privacy breaches from the June 2024 report to MPs because the CRA already reported that information in the March 2024 report.

He added that the new figures will be included in his report next year. 

The CRA also said that the 31,468 privacy breaches had been reported retroactively.

The agency said that when a breach occurs, individual taxpayers are informed and are offered “credit protection as required” but would not answer when or how it first learned that privacy breaches were being underreported to Parliament. 

According to the CRA, it had mistakenly authorized over $190 million in fraudulent payments in connection with “confirmed” cases of privacy breaches since 2020, with the bulk of them occurring in 2020 during the COVID-19 pandemic.

The hackers were allegedly able to obtain information via H&R Block e-filing credentials provided by the CRA which they would then alter to receive the fraudulent returns on behalf of the taxpayers. 

The CRA eventually learned that it had issued multiple, unrelated refunds to the same bank account before agency auditors concluded that they had been swindled out of more than $6 million this year. 

Upon learning this, the CRA was able to prevent an additional $14 million in fraudulent returns before they were paid out to hackers. 

“In the particular case raised by the CBC, threat actors attempted to obtain a total of $21.5M,” said Branch. She added that “the CRA can confirm” that it “blocked” $157 million and “intercepted” $14.9 million. 

Author