Investigation of unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency

Letter to the Speaker of the Senate

BY EMAIL

May 7, 2026

The Honourable Raymonde Gagné, Senator
Speaker of the Senate
Senate of Canada
Ottawa, Ontario  K1A 0A4

Dear Madam Speaker:

I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled, Investigation of Unauthorized Disclosures and Modifications of Taxpayer Personal Information at the Canada Revenue Agency. This tabling is done pursuant to sections 39(1) and 40(1) of the Privacy Act.

Sincerely,

Letter to the Speaker of the House of Commons

BY EMAIL

May 7, 2026

The Honourable Francis Scarpaleggia, M.P.
Speaker of the House of Commons
House of Commons
Ottawa, Ontario  K1A 0A6

Dear Mr. Speaker:

I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled, Investigation of Unauthorized Disclosures and Modifications of Taxpayer Personal Information at the Canada Revenue Agency. This tabling is done pursuant to sections 39(1) and 40(1) of the Privacy Act.

Sincerely,

Overview

1. In October 2024, the media reported^{Footnote 1} that many Canadian taxpayers’ accounts at the Canada Revenue Agency (CRA) were being exploited by bad actors since as early as March 2020.
2. These reports noted that attackers were successfully gaining access to Canadians’ CRA accounts to obtain or modify personal information, allowing them to subsequently redirect or submit fraudulent requests for Government of Canada (GC) benefit payments, and increasing the risks of identity theft, causing financial loss and other hardship to individuals. The CRA describes these breaches as Unauthorized Use of Taxpayer Information by a Third Party (UUTP).
3. In October 2024, following receipt of a complaint, the Office of the Privacy Commissioner of Canada (OPC) launched an investigation into the matter to examine whether the CRA met its obligations under the Privacy Act (the Act).
4. The purpose of the investigation is to assess whether the CRA had appropriate safeguards in place to protect taxpayers’ personal information from unauthorized access and modification, and more specifically, against identity theft and bad actors that impersonate legitimate taxpayers in order to access or modify their information and use it to claim benefits from the CRA.
5. We note that in February 2024 the OPC concluded an investigation into the CRA, which examined a 2020 cyber attack that targeted the CRA’s My Account online service, impacting thousands of taxpayers. That investigation focused on the attack technique called credential stuffing, whereas the scope of the current investigation included all attack vectors and techniques that bad actors use to compromise taxpayers’ accounts.
6. During this investigation, the CRA was unable to provide the OPC with details of every confirmed UUTP it had reported, which it explained was due to limitations in its tracking systems, the overall volume of breaches and the intensive resources required. Instead, the CRA submitted a statistically representative sample of UUTPs for the OPC’s review.
7. The CRA’s submissions also lacked certain key details which the OPC deemed necessary in order to determine the strength of the CRA’s security controls, and the effectiveness of its enhancements to prevent future UUTPs. As a result of the missing details, our investigation relied on the information available to determine the overarching principles guiding the bad actors’ approach to conduct successful UUTPs. This, in turn, informed our analysis of the CRA’s security posture regarding prevention, detection, containment, remediation and governance of UUTPs.
8. Overall, we observed significant efforts by the CRA over the last five years to improve its security posture, following the OPC’s investigation into a related issue. Notably, the CRA’s approach to containment and mitigation has been satisfactory. Additionally, we recognize that the CRA’s practices have evolved and matured over the period under investigation.
9. Nevertheless, our investigation concluded that there are shortcomings in the CRA’s prevention, monitoring and detection, remediation, and governance.
10. Regarding prevention, for example, we note that the Agency did not implement mandatory multi-factor authentication (MFA) in a timely manner; once it did, it did not rely on the strongest methods according to industry best practices. Additionally, the CRA has not adopted best practices articulated within a zero-trust approach to security, nor does it have sufficient visibility over its attack surface.
11. With reference to monitoring and detection, the CRA relies on a myriad of tools; however, during the period under investigation, the fact that the majority of UUTPs remained self-reported, combined with the fact that the CRA is unable to identify when and how each individual UUTP actually occurred, raises questions about the effectiveness of the CRA’s approach.
12. With respect to remediation, the CRA undertakes root cause analysis as part of its response to complex schemes. However, as a matter of practice, it does not undertake the same approach for individual UUTPs that are not part of complex schemes. This deprives the CRA of valuable intelligence about bad actors’ tactics and the vulnerabilities of compromised entry points. This is key for the CRA to tailor its defence and corrective measures to its authentication processes. In addition, the fact that the CRA does not track when the UUTPs actually occurred makes it difficult to assess the effectiveness of its remedial efforts.
13. Finally, we take note of the CRA’s creation of certain key teams to support its governance but ultimately conclude that the Agency’s approach is not sufficiently coordinated and proactive to address UUTPs.
14. Our investigation concludes that the CRA contravened subsections 6(2) and 8(2) of the Privacy Act (the Act), regarding accuracy and disclosure of personal information. We make 9 recommendations to the CRA, of which the Agency accepted 8 in full and one in part. Accordingly, we find the complaint well-founded and conditionally resolved.

Background

15. In February 2024, the OPC concluded an investigation^{Footnote 2} into the CRA, which examined a 2020 cyber attack that targeted the CRA’s My Account online service, impacting thousands of taxpayers. That investigation found that the CRA had under-assessed the level of identity authentication warranted given the elevated sensitivity of the personal information accessible, and that it lacked adequate monitoring to detect and promptly contain the breach. Accordingly, the OPC recommended, and the CRA agreed to improve its authentication practices and monitoring. The CRA has been providing updates to the OPC since it issued the 2024 Report, and in January 2026, the CRA reported to the OPC that all activities related to these commitments had been completed.
16. That investigation focused on a technique called credential stuffing, wherein stolen credentials obtained from previous breaches at other organizations are used to access existing online accounts owned by the same individual. During the final stages of that investigation, the OPC learned of unreported breaches related to fraudulent Canada Emergency Response Benefits (CERB)^{Footnote 3} applications and payments dating back to 2020, affecting up to 15,000 individuals. At that time, the CRA advised that these additional breaches were unrelated to credential stuffing and it committed to report to the OPC on any UUTPs deemed to be material.^{Footnote 4}
17. On May 9, 2024, the OPC received a breach report from the CRA that included details of 31,393 individual cases of Unauthorized Use of Taxpayer Information by a Third Party (UUTP), retroactively spanning from May 11, 2020 to November 9, 2023. The CRA reported that this number included the previously unreported 15,000 breaches referenced in the credential stuffing investigation report.
18. Following receipt of the May 2024 breach report and in the months leading up to the launch of this investigation, the OPC engaged and met regularly with the CRA to better understand and assess the volume of breaches, and to determine next steps.
19. The CRA indicated that “UUTP” is a term used by the Agency to characterize the unauthorized access, disclosure, or use of an individual or business’s confidential tax information by someone other than the taxpayer or authorized person (such as an accountant).^{Footnote 5} UUTPs can be linked to an incident where only a single account is impacted, or linked to a complex case where multiple taxpayers’ accounts are impacted. UUTPs result in unauthorized access to, or modification of, taxpayers’ personal information by bad actors with the objective of financial gain. In UUTPs, attackers impersonate legitimate taxpayers by using the taxpayers’ personal information obtained from different sources. In general, when attackers exploit technical vulnerabilities, the detection techniques used differ from those which would apply to cases involving attackers who exploit human vulnerability. As such, the CRA reported that, during the period under investigation, UUTPs may only be detected months or even years after they occur and notes that they are most commonly brought to the CRA’s attention by the taxpayers themselves.
20. The Treasury Board Secretariat’s (TBS) Policy on Privacy Protection requires government institutions to report breaches no later than seven days after determining a breach to be material.^{Footnote 6} However, in light of the challenges with detecting UUTPs and the significant volume the CRA was facing, it requested permission from TBS to report individual UUTP breaches on a quarterly basis, and TBS granted the request in October 2024, on the condition of an annual review.^{Footnote 7}
21. The May 2024 report was the first quarterly report that the OPC received from the CRA. At the time of writing this report, the CRA has submitted six quarterly reports totalling 42,755 confirmed individual breaches.^{Footnote 8} The CRA also reported on confirmed privacy breaches resulting from complex cases and business UUTPs separately, as required by TBS policy.
22. In October 2024, following reports in the media about thousands of taxpayer accounts being compromised for financial gain, and a high volume of breaches being underreported, the OPC received a complaint and launched an investigation. Relatedly, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) commenced a study of privacy breaches at the Canada Revenue Agency. Over the course of four meetings in November and December 2024, ETHI heard evidence from 10 witnesses, including the Privacy Commissioner of Canada.^{Footnote 9}

Scope and Methodology

23. The fact that breaches occurred is not in dispute; however, this does not, in and of itself, mean that an organization did not take adequate steps to protect personal information under its control. Therefore, the purpose of this investigation was to assess the safeguards that the CRA had in place to prevent unauthorized access to, disclosure of and modification of taxpayers’ information and systemically assess how the CRA’s systems were protected against various attack vectors regardless of the vector and the point of entry used by bad actors.
24. At the beginning of the investigation, we asked the CRA for details on the 34,625 confirmed UUTPs it had reported up to that point over two quarterly reports,^{Footnote 10} in order to assess the measures in place to protect against UUTPs and the effectiveness of the CRA’s breach response. More specifically, we requested information pertaining to points of entry to CRA’s systems, the vectors of attack used by bad actors in the breaches, and how they were detected, remediated and mitigated.
25. The CRA was unable to provide the OPC with the requested information related to all individual UUTPs. As the CRA explained, this is in part attributable to the fact that it only began tracking individual UUTPs in 2022.^{Footnote 11} The CRA also cited limitations in its tracking systems.
26. Due to the lack of details about the vectors of attack and what vulnerabilities of the points of entry were exploited in each case, the CRA was unable to identify and explain to the OPC exactly how each of the breaches occurred. The OPC was consequently unable to assess the effectiveness of the remediation and preventative measures that the CRA implemented to prevent recurrence.
27. To address this, the CRA proposed to submit a sample of UUTPs for the OPC’s review, indicating that it would be statistically representative of all UUTPs.^{Footnote 12} Given that information about all of the breaches was not available, the OPC accepted the CRA’s proposed approach in order to gain some insight into the data.
28. Based on the sample that the CRA provided, we focused our investigation on the entry points that were most commonly used, specifically: i) financial institutions;^{Footnote 13} ii) My Account;^{Footnote 14} and iii) general enquiries phone calls.^{Footnote 15} Additionally, we examined two other entry points: tax returns^{Footnote 16} (one of the identified entry points in the sample, and subject of a particular scheme exploiting the EFILER service^{Footnote 17} reported in the media) and Represent a Client, which had appeared in previous reporting to the OPC.^{Footnote 18}
29. The OPC based its conclusions on written submissions from the CRA, including CRA breach reports, privacy impact assessments and follow-up submissions to our 2024 Report, as well as demonstrations and briefings from subject matter experts within different CRA program areas. We also gathered publicly available information, including media reporting and parliamentary committee hearing transcripts.

Analysis

Issue: Did the CRA adequately protect personal information against unauthorized disclosure and modification

30. Section 8 of the Act directs government institutions not to disclose personal information under their control, without consent from the individual, unless the disclosure meets one of the exceptions articulated in s.8(2).
31. Section 6(2) requires government institutions to take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
32. In its breach reporting to the OPC, the CRA acknowledges contraventions of both sections 8 and 6(2). In some cases, bad actors accessed information within accounts; in others, bad actors changed account information, rendering it inaccurate. As a result, the OPC finds that the CRA contravened the Act. The complaint is therefore well-founded.
33. The Act’s purpose is to protect the privacy of individuals with respect to their personal information held by a government institution. This creates an obligation for institutions to ensure that reasonable safeguards are in place to protect personal information. While not explicitly required under the Act, safeguards are mandated by relevant TBS privacy policy instruments that support the Act’s administration.^{Footnote 19} The implementation of safeguards helps to ensure that appropriate security controls are in place to protect personal information from both accidental and deliberate threats: unauthorized access, modification, disclosure, misuse, and more.
34. The OPC has previously reported, and it is well known, that the CRA’s information holdings is vast and includes a significant amount of sensitive personal information belonging to Canadians.^{Footnote 20} In addition, the CRA notes, in its representations and internal policy, that it is “an attractive target for external threat actors looking to capitalize on the Agency’s role in distributing refunds and benefits to Canadians.” We previously stated, and it remains the case, that the risk of harm to individuals from unauthorized disclosure and modification to information under the CRA’s control is high. Individuals can be impersonated and experience the loss of thousands of dollars of benefits or tax refunds or be held liable for thousands of dollars of fraudulent benefit claims or tax filings.^{Footnote 21} These risks can also result in privacy harms including the psychological stress of being victimized (potentially for years) by identity theft.^{Footnote 22}
35. Accordingly, we expect that the elevated sensitivity and volume of personal information, as well as the severe consequences its compromise may have on Canadian taxpayers, warrants commensurate safeguards to protect against unauthorized modification and disclosure.
36. Safeguards and security controls should adequately protect against both prevalent cybersecurity threats and targeted threats such as UUTPs. Where an atypical vulnerability or attack vector exists, we would expect the CRA to take specific and tailored actions to strengthen security measures to address the resulting risk(s).
37. We therefore sought to understand how the CRA’s systems operate, the key points of entry and approaches used by attackers, and how the CRA’s structure facilitates prevention, monitoring, detection, containment and mitigation of breaches.

CRA Systems

38. According to the CRA website, “My Account is an online portal in your CRA account” where individuals can “view and manage [their] personal and tax information, apply for benefits, and make payments to the CRA.” My Account is not the only portal available for accessing CRA services: individuals can also set up My Business Account^{Footnote 23} to view and update their business tax information and “Represent a Client”^{Footnote 24} to “manage business, trust, or individual information on behalf of someone else with their authorization.”^{Footnote 25} These portals together comprise a CRA account.
39. An individual can register for and sign into a CRA account with one of three options: i) CRA user ID and password; ii) Sign-In partner; and iii) Provincial partner. To register for a CRA user ID and password, an individual must have a social insurance number (SIN) and have filed their taxes for the current or previous tax year. To register using a sign-in partner, which allows an individual to use their online banking information to sign-in, they must also have an account with one of the listed financial institutions and be registered for online banking. Finally, to register with a Provincial partner, an individual must have a British Columbia Services Card account, or an Alberta.ca account, and a SIN to validate their identity the first time they sign in.^{Footnote 26}
40. The OPC asked the CRA about all publicly accessible entry points to its systems. This information was necessary for the OPC to investigate the specific entry points that bad actors exploited to breach individuals’ personal information, while remaining attuned to the CRA’s entire threat surface.^{Footnote 27} The CRA initially did not provide this information, but later produced a list of entry points for the OPC’s review, which the Agency organized into five categories: i) Digital Services;^{Footnote 28} ii) Telephone Services;^{Footnote 29} iii) Paper Mail and Fax-based Services;^{Footnote 30} iv) In-Person Services;^{Footnote 31} and v) Data Sharing.^{Footnote 32}
41. This investigation focused on the specific entry points that were most commonly used based on the sample that the CRA provided, as follows: i) financial institutions; ii) My Account; iii) general enquiries phone calls; and iv) tax returns.^{Footnote 33} Tax returns appear in the data sample and in a publicly reported scheme exploiting the EFILE, and “Represent a Client” services appear in complex schemes that the CRA has reported.
42. We note that while the sample provided some of the information we had requested, it did not fully address a key question: how attackers were successful in bypassing the authentication processes to gain unauthorized access to, or modify, personal information under the CRA’s control. While the CRA’s representations indicated the entry point and the results of the compromise, it did not explain the how of the compromise or precisely what vulnerability was exploited in each case.

My Account

43. When an individual has a CRA account, they have access to the My Account portal, which allows them to view and modify several elements of their personal information, including their mailing and email addresses, telephone numbers, notification preferences, marital status and direct deposit. Through My Account, individuals also have the option to apply for eligible benefits.
44. To register for a CRA account, individuals must first verify their identity. To do so, the CRA requires the individual to provide their social insurance number (SIN), date of birth (DOB), and amounts reported on their most recent, assessed tax return from within the last two tax years. After providing this information, the individual can choose to create a CRA credential in the form of a CRA User ID and password, or use credentials already established with a Sign-In Partner, such as an authorized financial institution.
45. After successfully verifying their identity, the individual can proceed to enroll in multi-factor authentication (MFA) to receive their one-time passcode by either a third-party authenticator app, a passcode grid, or by phone. They will be prompted to enroll with two MFA options. Individuals are required to provide a one-time passcode each time they sign in to their CRA account. The final step of the registration process is to verify their identity through a document verification service or by receiving a CRA security code in the mail.

Financial institutions

46. The Sign-In partner option allows an individual to use their banking credentials to gain access to their CRA account, while being authenticated by their financial institution.^{Footnote 34} When an individual has registered for their account using this option, they may also direct a request to update their direct deposit information to their financial institution.
47. When signing-on this way, individuals are directed to a log-on page for their selected financial institution. Once there, they are prompted to enter their credentials for the financial institution of which they are a client. Once entered, if successful, they will then arrive at the CRA’s multi-factor authentication challenge which is the final step before accessing their CRA account.^{Footnote 35}

General enquiries phone calls

48. Individuals can utilize the CRA’s telephone services^{Footnote 36} to access general information or account-specific information, or to take certain actions on their accounts. For example, individuals can use these services to obtain account balances and some tax information, or they can update their name, marital status or address.
49. In order to access these services by phone, individuals are asked questions based on certain biographical and CRA account-related information.

Tax returns

50. Individuals can file their tax return using tax software and submitting it online, or by paper or mail. They can also engage a tax preparation company, or EFILER, to submit their return on their behalf. Depending on how an individual files their return, the process differs:
    • When using tax software, individuals must fill in personal information such as their name, address and SIN; enter their taxation information, and then submit.^{Footnote 37} At the time of writing, individuals could update their email address, marital status and language of correspondence through their tax return; however, individuals are encouraged to confirm that the CRA has their correct direct deposit information, mailing address and notification preferences (online or letter mail) before filing.^{Footnote 38}
    • When filing by paper, individuals must request a paper income tax package from the CRA and then mail it to the CRA.

EFILE

51. EFILE is an automated service for use by approved tax preparers^{Footnote 39} to file their clients’ tax returns electronically. Individuals do not engage with EFILE: rather, individuals engage with a registered tax preparer, who uses documentation that the individual provides in order to file a return on their behalf using EFILE.
52. In order to register to use EFILE, tax preparers must complete an application form and undergo suitability screening by the CRA.^{Footnote 40} If the CRA determines that the tax preparer is eligible, upon registration, the CRA provides tax preparers with an EFILE number and password combination, which the CRA encourages them to keep confidential. EFILE users are required to renew their account annually; upon renewal, EFILE passwords are automatically reset.^{Footnote 41} All tax returns filed by the same tax preparer are filed under the same EFILE number.
53. EFILE users rely on software products to submit income tax returns on behalf of their clients. These software products must be verified and tested to ensure that they are compatible with EFILE, and to ensure that they reflect legislative changes.

Represent a Client

54. A taxpayer can authorize other individuals or EFILERs to engage with the CRA on their behalf. These authorized individuals become representatives of the taxpayer and have access to tax-related information for the individual that they represent.^{Footnote 42}
55. A representative can be anyone authorized to access information and services on behalf of individuals, businesses, registered plan owners, and trusts. This authorization comes from the individual, business, trust, or registered plan owner who designates the representative. Representatives could include a friend or family member, a legal guardian or individual granted power of attorney, a financial planner, etc. To use the Represent a Client portal, representatives are required to have a CRA account. From the CRA account Welcome page, representatives must add a Representative account and register with Represent a Client. They will then be provided with a RepID number. With registration status complete, representatives can request authorization from a taxpayer to access their information, or the taxpayer can request representation from a registered representative through their account.^{Footnote 43} Services available to the representative vary depending on whether the client is an individual, a business or a trust: individuals can consent to the representative only viewing the information, or alternatively viewing and making changes to information. The CRA reserves certain accesses and modifications to legal representatives.^{Footnote 44} Additionally, the CRA represented that internal mechanisms can prevent a representative from taking action on an account.
56. In a previous investigation^{Footnote 45} in 2023, the OPC learned that bad actors used “Represent a Client” to fraudulently access taxpayer accounts. The CRA indicated that the processes surrounding how individuals use this portal had been strengthened as part of the recommendations made to the CRA in our 2024 Report. The OPC was satisfied with the measures taken.

Attackers’ Approach

57. Understanding the modus operandi of bad actors is critical. It allows institutions to predict and anticipate their actions and proactively implement tailored defence.
58. The CRA reported that attackers, often using stolen or leaked credentials from external sources, were able to successfully gain access to taxpayers’ accounts. Bad actors also use legitimate information to modify individuals’ accounts, presumably in an effort to file false tax returns, direct CRA payments to themselves or claim benefits. In addition, attackers can make changes to accounts without ever directly accessing a taxpayer account, for example, by filing a false tax return, or updating information on an account by impersonating and successfully passing challenge questions via a call centre.
59. Our analysis of CRA’s breach reports on complex cases identified some tactics that bad actors relied on to gain access to taxpayers’ accounts. Given the operational sensitivity of the details of these cases, the present report intentionally omits the specific details of what occurred.^{Footnote 46} These cases provided insight into bad actors’ tactics and vulnerabilities, as well as whether the CRA addressed them or should implement further enhancements.
60. The investigation revealed several factors that increase the risk of unauthorized access into CRA systems; these include understanding which point(s) of entry are available for exploitation, how to bypass its authentication measures, and how to access or modify the taxpayer’s personal information. From there, the attacker needs to obtain some combination of CRA credentials, other account credentials/details (such as banking information, EFILER or Represent a Client, etc.) or sufficient information regarding a taxpayer’s account. The CRA’s systems and services are complex and interwoven; attackers can combine information in a number of ways. Overall, UUTPs may involve, among other things, the following tactics:
    • Establishing a means of receiving money: the CRA issues benefits and refunds through direct deposit, or through cheque sent by mail.
      1. Bank account information for direct deposits can be changed only through a CRA account or directly through a Canadian bank or credit union. Individuals who cannot use an online method must mail in a direct deposit enrolment form.^{Footnote 47} During the period of the breaches under investigation, there were additional avenues to change bank details associated to a taxpayer’s account (for example, by phone, EFILE, etc.).
      2. Mailing addresses can be updated online through a CRA account, by phone, and by mail using a specific change of address form. Additionally, a mailing address can be updated by filing a tax return by paper or electronically by EFILE (i.e., through a tax preparer).^{Footnote 48} During the period of the breaches under investigation, there were additional avenues to change address information, such as by filing a tax return through NETFILE.
    • Establishing direct account access with credentials: the CRA encourages individuals to keep their credentials secure, including by not reusing them. However, through third-party breaches, phishing schemes, or other illicit means, an attacker can obtain credentials to CRA accounts (My Account, Represent a Client, Business Account, credentials to access financial institutions).
    • Establishing a way to bypass authentication without credentials: the CRA’s authentication measures vary by entry point. Some of them require successfully responding to challenge questions with information related to the taxpayer. This information may be publicly accessible or obtained through third-party breaches, phishing schemes, and other illicit means, and then leveraged to access or modify CRA account information.
61. Given the above, the OPC expects the CRA to be aware of the threats, and to understand the risks and bad actors’ tactics, techniques, and procedures (TTPs).^{Footnote 49} This is key to prevent against bad actors’ modus operandi. Because not every attack can be thwarted, the CRA must have the tools/processes to monitor for, detect and quickly contain breaches, mitigate the harms they cause to impacted individuals and implement remedies to prevent the recurrence of breaches.

Prevention

62. Prevention is the first line of defense within a comprehensive security posture. It supports organizations in their goal to identify threats to organizations’ assets and implement adequate security controls to minimize the risks and prevent threats that could lead to compromising assets and causing harm. Security controls should include physical, technical and organizational measures and they should be tailored and commensurate to the threats and risks they are protecting against.
63. In its representations, the CRA indicated that it had several preventative measures^{Footnote 50} in place.
64. In the section below, we discuss some of the measures that would have improved the CRA’s defence against UUTPs during the period under investigation.

Earlier implementation of and stronger multi-factor authentication (MFA)

65. MFA makes it more difficult for unauthorized users to gain access to an account, even if they have legitimate credentials. It does so by requiring different kinds of information to access an account, generally a combination of two or more factors: something the account holder knows (the knowledge factor: e.g., correct responses to challenge questions), something they have (the possession factor: e.g., an email, a smart phone app) or something they are (the inherence factor: e.g., fingerprints or biometrics). The challenge of obtaining different factors decreases a bad actor’s success rate.
66. The CRA did not have MFA throughout the entire period within scope of the present investigation. The Agency only instituted it as a mandatory security measure in October 2021, which may have been a contributing factor to the UUTPs that predate October 2021.^{Footnote 51} The OPC has found in a previous investigation that single-factor authentication was still a common practice prior to 2020, but that “common practice or industry standard does not necessarily equate to compliant practice.”^{Footnote 52}
67. In February 2023, the CRA enhanced its MFA process and since then, individuals have been required to use one of three MFA options in order to access My Account:^{Footnote 53}
    • An authenticator application: a mobile application which generates one-time, time-limited passcodes.
    • Telephone: the CRA can provide one-time passcodes through text messages (SMS) or through an automated phone call message.
    • Passcode grid: the system will generate a unique passcode grid for each individual, which they must save or print. It is valid for up to 18 months. The passcode grid contains numbered rows and lettered columns; the CRA asks for 3 combinations each time the individual signs in.
68. At the time of writing, only one MFA option is required to sign-in; however, the CRA recommends that individuals enroll in more than one because “Enrolling in multiple MFA options will help ensure that you can still access your CRA account if you change your phone number, misplace your passcode grid or delete the third-party authenticator app.”^{Footnote 54}
69. As mentioned above, the CRA did not provide the OPC information on when UUTPs occurred and we therefore cannot conclude how effective the current implementation of MFA is.
70. In our review of international best practices, we note that as early as 2022, the Cybersecurity and Infrastructure Security Agency (CISA) stated^{Footnote 55} that SMS-based MFA is more susceptible to attack and emphasized the importance of using secure MFA methods.^{Footnote 56} These methods include phishing-resistant MFA such as FIDO/WebAuthn Authentication^{Footnote 57} and PKI-based MFA,^{Footnote 58} and App-based authentication such as token-based one-time passcode (OTP),^{Footnote 59} and mobile push notification with number matching.^{Footnote 60}
71. Similarly, the National Institute of Standards and Technology (NIST) has issued a series of reports on the topic of MFA, analyzing different aspects of implementation. In 2025, NIST concluded that knowledge-based authentication and verification was obsolete and should not be used for identity verification.^{Footnote 61}
72. The CRA represented that it has taken steps to strengthen its safeguards against knowledge-based authentication, such as reducing the number of failed attempts required to respond to security questions before locking an account (in September 2020), and introducing a failed attempt counter when a user enters their personal identification number (PIN) (in October 2020). The CRA has also indicated that it is scheduled to implement further enhancements to its MFA process in February 2026.^{Footnote 62} These are positive steps.
73. In light of the foregoing, we recommend that the CRA:
    
    

    Recommendation 1: within 12 months of the issuance of the report of findings, assess and adjust its current implementation of MFA considering international standards to ensure that it relies only on strong MFA methods; and

    Recommendation 2: within 12 months of the issuance of the report of findings, develop metrics to track the effectiveness of its security controls and overall security program, including but not limited to MFA.

74. The CRA partially accepted Recommendation 1. In response to this recommendation, the Agency reaffirmed its commitment to aligning its authentication practices with internationally recognized standards for MFA and pointed to certain privacy-protective measures that it has already implemented, such as offering an authenticator application as an option, incorporating MFA backup methods in February 2026, and planning enhancements to these backup methods later in 2026. The Agency also stated that it recognizes the importance of balancing robust security controls with user accessibility and operational readiness: “While SMS-based MFA may be considered a less robust authentication factor when measured under international cybersecurity standards, these standards also recognize the need for proportionate security controls, to ensure secure access for all users.” The CRA further explained that maintaining SMS as an MFA option is intended specifically to support vulnerable, rural, or underserved populations, as well as those with barriers to technology adoption. According to the Agency, SMS-based authentication is not positioned as the preferred authentication method for users who can reasonably access stronger alternatives and the CRA will not offer it as a backup MFA method. Ultimately, the CRA affirmed that it will continue to evaluate and enhance its authentication ecosystem to ensure alignment with emerging international standards and evolving threat landscapes while continuing to promote awareness of the security benefits associated with stronger authentication methods.
75. The OPC recognizes that the CRA is balancing service delivery with security and that it is committed to uphold robust security while ensuring inclusive and equitable access to online services for all Canadians. The OPC also notes the CRA’s commitment to ongoing assessments and adjustments to its current MFA as well as its statement that SMS-based authentication will not be positioned as the preferred authentication method for users who can leverage stronger alternatives. We accept the CRA’s approach but expect and encourage it to clearly inform taxpayers that SMS-based MFA is less robust than other alternatives and that it entails more risks. It is the OPC’s intention to monitor CRA’s ongoing efforts to continually strengthen MFA and raise awareness about the most secure ways to leverage it, in order to ensure that the CRA implements the strongest possible methods feasible. In consideration of the foregoing, we consider Recommendation 1 conditionally resolved.
76. With respect to Recommendation 2, the CRA accepted the recommendation. They agreed to develop metrics as described, and further committed to establish appropriate mechanisms to evaluate whether the Agency’s security controls and measures function as intended to reduce risks and prevent potential breaches, and will incorporate these efforts into the CRA’s ongoing processes for monitoring and reporting.

Stronger authentication processes by phone

77. As discussed above, when individuals engage with the CRA by phone at any level, they must answer certain questions to authenticate themselves before taking any action or receiving account information.
78. The CRA advises individuals to have specific information on hand when they call: SIN, full name, date of birth, complete address, and a tax return, notice of assessment/reassessment, or other tax documents. This information provides the basis for the CRA’s authentication by phone. Given the prevalence of external and third-party breaches, which makes personal information available to bad actors, it is crucial for the CRA to ensure that its phone authentication is strong.
79. Individuals whose accounts are potentially impacted by identity theft are required to engage with the CRA’s Identity Protection Services (IPS), which relies on “enhanced confidentiality measures” to validate the identity of the taxpayer. These enhanced confidentiality measures include different sets of questions to establish, with greater confidence, that the individual is the true account holder. If the individual cannot answer the questions, or if their responses leave doubt about their identity, IPS will not continue the call^{Footnote 63} and may arrange to speak to the caller at another time (for example, if the individual lacked access to certain documents during the call), or ask the caller to provide further documentation to support their identity.
80. After a taxpayer successfully passes the enhanced confidentiality measures step, they will still be asked for documentation, and IPS will still secure the account pending the conclusion of the review into the suspected UUTP.^{Footnote 64}
81. We take note of the 2025 version of NIST SP 800-63(a), which states that knowledge-based authentication and verification methods are obsolete. Security questions fall into the category of knowledge-based authentication, which can often be predictable, guessable, and obtainable through open sources.^{Footnote 65}
82. Therefore, we recommend that the CRA:
    
    

    Recommendation 3: within 9 months of the issuance of the report of findings, consider alternatives or enhancements to its current knowledge-based authentications over the phone, and develop an implementation plan to ensure that it effectively minimizes risk.

83. The CRA accepted this recommendation and pointed to related efforts already in place which strengthen its telephone authentication processes and reduce risks associated with knowledge-based authentication. For example, in February 2025, the Agency introduced multi-factor authentication using a one-time passcode as an additional method for individuals to authenticate when speaking with an agent by phone and, in February 2026, expanded this control to the Interactive Voice Response (IVR) system. The CRA pledged to explore additional and long-term enhancements to further improve the security and consistency of its services.

Considering a zero-trust approach

84. Industry best practice points to recognized cybersecurity frameworks to adopt and improve security capabilities.^{Footnote 66} Architectural approaches such as zero trust can significantly enhance security by limiting implicit trust and reducing the impact of potential breaches.
85. Zero trust means “never trust, always verify.”^{Footnote 67} The zero-trust philosophy includes a number of principles such as per-session access with regular re-authentication when sessions expire; dynamic access determined by factors such as who is requesting access, from what device, when, and whether their behaviour matches how they normally behave; and authentication and authorization, which is also dynamic and strictly enforced. Zero trust also requires the collection of information to improve security, including information about users, devices, network traffic and system behaviour.
86. The Canadian Centre for Cyber Security (CCCS) has observed^{Footnote 68} that the traditional perimeter-focused defences (which allows individuals free access within a system after validation and authentication) are no longer sufficient to protect internal networks and data. As CCCS explains, “ZT’s [zero trust’s] central tenet is that no subject (application, user, or device) in an information system is trusted by default. Trust must be re-assessed and verified every time a subject request access to a new resource.”
87. When controls are primarily focused on the perimeter, bad actors can move freely in the systems once they pass the security controls with illicitly-obtained information. By contrast, creating smaller trust zones, or requiring additional authentication steps before making key account changes, may frustrate efforts by bad actors to work around the system.
88. The OPC acknowledges that it is very difficult, and resource intensive, to implement a zero-trust architecture on an existing system, because it involves a significant review and rebuild of the foundations of a system’s configuration. Incorporating aspects of zero-trust can also lead to significant technical and administrative work across organizations, and increased time and effort to strongly authenticate every user and device. However, we find it illustrative as a framework and approach to prevention.
89. For example: the CRA has identified that externally compromised credentials represent a significant source of UUTP breaches. According to the Open Worldwide Application Security Project (OWASP), the traditional security response to attacks involving stolen credentials would be resetting passwords and adding MFA. A zero-trust response, however, would include continuous risk assessment, device verification, behaviour analysis, and could result in a denial of access even with valid credentials when the risk is determined to be high.^{Footnote 69}
90. Another example: the CRA represented that individual UUTPs are generally flagged by individuals who self-report unauthorized changes made to their accounts.^{Footnote 70} To limit internal movement, we are of the view that individual account owners should also be contacted to confirm actions taken on their accounts. We note that the CRA has taken some positive steps in this direction, such as in February 2023, when the CRA enhanced e-notification types and content to inform taxpayers when a user other than them is locked out of their account.^{Footnote 71}
91. Quickly notifying individuals^{Footnote 72} about changes made to information on their accounts or flagging new activity such as tax returns being filed or refiled, may also limit a bad actor’s efforts to take control of this information. It also could lead to individuals learning promptly that their personal information has been potentially breached and enabling them to activate meaningful mitigation/remediation measures accordingly. Therefore, we recommend that the CRA:
    
    

    Recommendation 4: within 9 months of the issuance of the report of findings, review whether a zero-trust approach and its key principles are sufficiently integrated in its security measures and present a plan for adjustments to meet the principles of this approach.

92. The CRA accepted this recommendation but requested an extension to implement it. The CRA committed to conduct a comprehensive review to evaluate how zero-trust principles are currently integrated, and to identify any additional adjustments that may be necessary to further strengthen the Agency’s security measures. It also wishes to align the work required to implement this recommendation with ongoing strategic initiatives. The OPC approves the CRA’s request to complete this work within 12 months of the issuance of this report.

Greater attack surface visibility and better attack surface management

93. The CRA provides taxpayers with a range of ways to access and modify the information in their accounts. In several cases, this can be done through intermediaries over which the CRA has no direct control (financial institutions, EFILERS, authorized representatives using Represent a Client, etc.).
94. We asked the CRA how it vets and grants third parties’ access to CRA systems, and how it monitors or audits that access. With respect to financial institutions, the CRA explained that it leverages a Government of Canada contract that allows users to use the Interac Sign-In Service to access their CRA account.^{Footnote 73} This service eliminates the need for users to create and manage a separate credential for use with the CRA. The CRA indicated that it is not involved with the addition or removal of financial institutions from Interac’s list of participants, and that it is Shared Services Canada (SSC) that is party to the contract with Interac;^{Footnote 74} SSC manages the relationship to ensure compliance and acts as both the contract and technical authority.^{Footnote 75} The contract is available for use by all government departments and agencies and information about changes or updates to the service are shared through a working group chaired by SSC.
95. We would expect the CRA to be informed about, and satisfied with, the robustness of all third parties’ authentication processes that enable access to taxpayer information. Where the CRA is allowing access to My Account, any risks related to the third parties’ processes become part of the CRA’s overall risk exposure.
96. The CRA was unable to explain why it relies on third parties’ authentication processes even if financial institutions represent the most breached entry point among the data sample of individual UUTPs. This is concerning given that the CRA indicated that it does not have visibility into how third parties may identify UUTPs or suspicious activities and how their authentication processes can be or were bypassed by bad actors. The Agency stated that it only relies on the fact that external parties may report suspicious activities.
97. This investigation highlighted that the CRA does not have sufficient visibility over the many entry points to its system, which may explain the occurrence of a number of UUTPs and the fact that the Agency could not explain what happened in individual UUTPs. Proper Attack Surface Management is critical in cybersecurity as it allows organizations to identify and remediate vulnerabilities in all entry points.
98. In light of the above, we recommend that the CRA:
    
    

    Recommendation 5: within 6 months of the issuance of the report of findings, 1) compile an inventory of all entry points and corresponding attack vectors; and 2) articulate and implement a plan to ensure that this inventory remains up-to-date and accessible to all teams with a need-to-know.

99. The CRA accepted this recommendation but requested an adjusted timeline to align with ongoing work at the Agency: specifically, because fiscal year 2026-2027 is the third and final year of an ongoing special initiative that involves a risk assessment of key entry points, and related corrective actions, intended to strengthen the CRA’s posture and prioritize high-risk entry points.
100. On this basis, the CRA proposed to complete an updated inventory of all access points within 3 months of the issuance of our report, to update the inventory of access points with associated attack vectors within 6 months of the issuance of our report, and to develop and implement a plan to maintain the inventory as an evergreen resource within 12 months of the issuance of our report. The OPC agreed to this phased approach to implementing this recommendation.

Effective training and raising awareness

101. In addition to technology-based prevention methods, we expect organizations to consider the human factor, which includes ensuring that users, employees and authorized third parties are aware of their role in the protection against unauthorized access or modification of users’ accounts.
102. The CRA’s website explains that it “works to raise awareness of scams through various communication channels, such as Canada.ca, news and social media, and regular mail. In addition, the CRA has created a variety of creative initiatives to raise awareness on this important topic.” Examples of the initiatives cited include Be Scam Smart campaign,^{Footnote 76} CRA scam alerts,^{Footnote 77} Social Media,^{Footnote 78} and Scam escape room.^{Footnote 79} These initiatives demonstrate that the CRA is aware of the importance of involving taxpayers in protecting their accounts.
103. Taking into consideration the fact that most UUTPs are facilitated by credentials and information that may have been obtained through social engineering or phishing schemes targeting individuals, we question whether more can be done to raise awareness in the general public. Without specific evidence of the effectiveness of the above-mentioned initiatives, we cannot conclude whether or not the CRA should consider additional communication avenues.
104. Similarly, we would expect that the CRA’s call centre employees receive training specific regarding the threats that the Agency may encounter.
105. Meanwhile, the requirements for EFILERs must be specific and targeted.^{Footnote 80} Employees of EFILER firms also handle taxpayers’ information; the CRA should therefore ensure that, as part of its vetting program, EFILERs are providing their employees with privacy and security training similar to that which the CRA’s employees receive.
106. In light of the above, we recommend that the CRA:
     
     

     Recommendation 6: within 12 months of the issuance of the report of findings, assess its vetting, training and awareness tools to ensure that they are effective and in place and provide the OPC with a summary of this assessment.

107. The CRA accepted this recommendation. Among its commitments, the CRA indicated that it plans to update its screening processes in the Fall of 2026 to strengthen the accountability of EFILERS. As part of this update, EFILERs will be required to attest to their awareness of, and compliance with, their obligations to protect taxpayer information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Monitoring and Detection

108. Monitoring and detection both represent important components in a comprehensive security posture. The goal of these activities is to identify, threats to an organization as early as possible in order to take immediate action to contain and prevent the threats from compromising assets and causing harm. Monitoring and detection controls should include technical tools and organizational processes, and should be tailored and commensurate to the threats and risks they are protecting against.
109. The CRA advised that it has monitoring measures in place to detect suspicious activity at specific points of entry, and that it continues to adopt advanced methods.
110. The CRA shared with the OPC information about a number of tools upon which it relies for its cybersecurity. The tools in place are those that the OPC would expect to see as part of the CRA’s overall cybersecurity framework.
111. With respect to monitoring for and detecting UUTPs specifically, the CRA provided examples of its approaches to monitoring and detection:
     • Internal referrals: various internal teams support CRA program areas in identifying potential UUTPs, including Security Branch teams which play a complementary role by using tools designed to identify anomalies and indicators of fraud and flagging information to program areas for further investigation into potential UUTPs.
     • External referrals: the CRA explained that not all external partners are required to report breaches of information they hold; they report suspicious activities to the CRA based on their own internal monitoring systems, breach investigations, or obligations under contractual agreements.^{Footnote 81} The CRA then reviews, assesses and responds to these reports.
     • Routine tax review: Ad hoc compliance reviews and spot checks can be a useful approach, complementary to other formal monitoring, to help identify potential issues that have gone otherwise undetected. The CRA has taken this approach in some examples it reported to the OPC.^{Footnote 82}
     • Behavioural analytics and monitoring: The CRA analyzes user behaviour within its portals. Dedicated teams use data analytics tools and techniques to identity fraud signatures related to schemes and active cases.
     • Rule-based triggers for review by certain program areas: The CRA noted that some program areas have automated rules to detect errors or irregularities in tax submissions or account activities.
112. Despite all the tools above, with respect to the period under investigation, the CRA represented that the majority of individual UUTPs remain self-reported by the individual; however, it was unable to provide breakdowns of UUTPs by source and explained that “case source tracking is widely unavailable due to the dynamic nature of identity theft.”
113. In conclusion, our investigation confirmed that the CRA relies on various monitoring and detection tools. However, the fact the majority of UUTPs remain self-reported combined with the fact that the CRA is unable to identify when and how each individual UUTP actually occurred, raises questions about the effectiveness of the CRA’s approach. Therefore, we recommend that the CRA:
     
     

     Recommendation 7: within 9 months of the issuance of the report of findings, develop a plan to ensure that its monitoring and detection approach is tailored to the threats and risks that lead to UUTPs.

114. The CRA accepted this recommendation and shared details with the OPC about how it will build on its existing work to implement the OPC’s recommendation. The CRA outlined the variety of tools and technologies it uses to monitor and detect suspicious activity on its systems. It explained that these tools are regularly updated and recalibrated based on new threats, confirmed cases of fraud, and emerging risks, to help CRA teams identify potential unauthorized access to taxpayer accounts.

Containment

115. Once an institution identifies a potential breach, it must determine and implement containment measures^{Footnote 83} to limit the impact and the scope of a breach. Containment should begin immediately after the detection of the breach and be completed as quickly and as extensively as possible. The CRA represented that its strategies and actions depend on the type of the breach and its scope.
116. The CRA identified Identity Protection Services (IPS) as the main team involved with containing UUTPs in relation to individual accounts. IPS’s mandate is to verify the identity of taxpayers whose information is suspected of being used by an unauthorized third party, and to take corrective action on accounts belonging to victims of identity theft. The CRA explained in its submissions that accounts identified as suspicious are immediately reviewed, with various measures taken to flag them internally and deactivate them to avoid potential (further) exploitation.
117. The CRA explained that IPS is the point of contact for individual taxpayers whose accounts are potentially impacted by identity theft.^{Footnote 84} IPS reviews all cases of potential identity theft, communicates directly with suspected victims to restore or protect their accounts, as applicable, and addresses identity theft concerns at the individual level.^{Footnote 85}
118. In its representations, the CRA indicated that IPS contacts suspected victims “as soon as possible,” by phone and by mail, and that an initial contact letter is issued regardless of whether telephone contact was successful or not. However, the CRA also advised that review timelines vary, depending on capacity constraints, prioritization of files, and organizational priorities, and noted that there can be delays related to unsuccessful phone contact and to receiving requested documents from individuals. The CRA also noted that files are “generally actioned between 24 hours to 20 weeks.”
119. We are satisfied with the CRA’s approach to containment. We acknowledge that several factors could impact how quickly certain containment measures are taken and that it is challenging to investigate UUTPs.

Mitigation

120. Mitigation relates to measures taken by an institution to reduce the risks associated with a breach. Mitigation should be timely and include steps such as controlling access to an account to prevent disclosure or misuse. The ultimate goal of mitigation is to return the individual as closely as possible to their pre-breach state. That includes correcting information related to their account(s), reversing any financial errors/impacts, ensuring their access to CRA services and benefits, and protecting them from future harm.
121. The Agency’s UUTP Playbook outlines several steps related to mitigation and communication, as well as the roles and responsibilities of all the teams involved. Mitigation measures usually include applying account protections on affected accounts. Additionally, in cases where a bad actor may have viewed full account information, individuals receive credit protection to help protect against resulting harms.
122. The CRA states on its website that individuals affected by fraud or identity theft will not be held liable for unauthorized claims, nor taxes owed related to unauthorized activity on an account, nor will they be held responsible for money paid out to bad actors who use their identity.^{Footnote 86}
123. These actions are in addition to activities conducted by IPS, including communicating with impacted individuals to explain the CRA’s response and address their concerns, as described above. We encourage the CRA to expedite its investigation of suspected UUTPs and restore access to legitimate taxpayers promptly given that frozen accounts can cause harm to affected individuals.^{Footnote 87}
124. We acknowledge that these measures are positive and that they reduce the impact of the breaches on individuals.

Remediation

125. After a breach has been confirmed, it is incumbent on an organization to consider what steps should be followed to remediate the vulnerabilities that the bad actor exploited and reduce the likelihood of a similar breach recurring. In order to do so, it is crucial to understand the root causes, the details and the strategies employed by the bad actors who breached the personal information.
126. Since 2020, the CRA has made several changes to its systems and processes. For example:
     • Limiting avenues available for unauthorized account changes:
       1. Since March 24, 2025, individuals can no longer update direct deposit information over the phone; they can only do so through a CRA account or financial institution;^{Footnote 88}
       2. The CRA has instituted some limitations on the individual contact information that can be updated through a tax return submission (online, phone, and paper-based options remain for some). Phone numbers and email addresses can be updated through tax returns, but mailing address cannot be updated through a tax return filed by NETFILE^{Footnote 89} (by an individual). A mailing address can be updated through a tax return filed by paper or through EFILE (meaning, through a tax preparer).
     • Strengthening mandatory multi-factor authentication:
       1. The CRA implemented multi-factor authentication as a mandatory security measure in October 2021; in February 2023, the CRA enhanced the multi-factor authentication email notification, specifying the method used during enrolment (telephone, passcode grid, authenticator application); in February 2024, the CRA implemented time-based one-time passcodes as an additional option for multi-factor authentication. The CRA also represented that it has implemented further enhancements to its multi-factor authentication systems in February 2026 and plans to make a backup MFA mandatory later in 2026, informed by operational insights, adoption patterns, and user feedback. According to the CRA, these further enhancements are intended to make it more difficult for threat actors to circumvent other controls.
     • Adding confirmation of authorization to Represent a Client:
       1. In October 2021, the CRA implemented a Confirm My Representative process for authorizations submitted using Represent a Client. This process requires individual clients to confirm or deny a request from a potential Representative, either through My Account, or by providing information from an assessed tax return.
127. The CRA also established a Complex Account Security Problem Resolution team (CASPR) at the organizational level. CASPR’s role is to lead the CRA’s response to complex account threats that span multiple programs and require a consistent, coordinated approach and response. Individual UUTPs are not in scope for CASPR’s role unless they fall within a broader complex scheme.
128. CASPR assesses referrals it receives from internal and external stakeholders, coordinates account controls and mitigation strategies, and issues a report on the event. The scope of CASPR’s work includes both threats directly targeting the CRA that threaten the security and integrity of taxpayer accounts (“CRA threats”), and events outside of, or unrelated to the CRA, which may impact the security and integrity of taxpayer accounts (“external breaches”).
129. Remediation must be tailored to threats and the CRA reports using effective remediation measures after complex cases. In response to individual UUTPs, however, we note that the CRA’s remedial efforts are more general in nature; in its quarterly breach reports submitted to the OPC, pertaining to individual UUTPs, the CRA indicates that there are “specific controls and processes that have been implemented since 2020 to reduce the risk of similar breaches occurring in the future.”
130. We acknowledge that the CRA’s remediation measures improve the CRA’s ability to prevent future occurrences. However, because individual UUTPs do not fall within CASPR’s scope (unless they are determined to be part of a complex scheme) and only extend to incidents within the CRA, the root causes of UUTP breaches stemming from third parties are never identified. Ultimately, the OPC was unable to assess the efficiency or effectiveness of the CRA’s remediation measures against all bad actors’ tactics to gain unauthorized access to taxpayers’ accounts.
131. Even when remedial actions improve the overall security posture, their effectiveness is difficult to assess if they do not correlate with lessons learned.

Gaps in key relevant information

132. The OPC experienced challenges throughout this investigation in its evaluation of the effectiveness of the CRA’s efforts to safeguard its systems and the personal information for which the Agency is responsible. Despite significant effort, the CRA was unable to provide to the OPC with detailed information about the individual UUTPs under investigation and how the CRA has responded to them.
133. With that in mind, we recommend that the CRA:
     
     

     Recommendation 8: within 6 months of the issuance of the report of findings, develop an action plan that will detail how it will implement the following (4) activities, within 18 months of the issuance of the report of findings:

     1. Ensure that the CRA tracks and has the ability to report key dates for all breaches: date of breach, date the breach was first suspected, the date of first attempted contact with the individual affected, and the date of first successful contact;
     2. Ensure that the CRA has the ability for each breach to establish a link between safeguards in place and the breach type;
     3. Ensure that the CRA has a process in place to assess the effectiveness of safeguards and whether they impact the occurrence of breaches;
     4. Ensure that the CRA has systems in place that allow for comprehensive tracking of and reporting on UUTPs and its response to UUTPs.
134. The CRA accepted this recommendation and clarified that it already undertakes a comprehensive review of all complex schemes involving more than one SIN to fully understand the risk and to make any necessary changes to systems and/or procedures. It committed to implement a plan for individual UUTP not tied to complex schemes. Finally, it requested an extension to 24 months after the issuance of our report to complete the implementation of the actions required.
135. The OPC accepts the CRA’s response and requested extension.

Governance

136. Governance in privacy encompasses the policies, practices and procedures that an organization has in place to ensure the protection of personal information under its control. It can include a range of tools and structures.
137. Governance is also about the teams and units that ensure proper policies and procedures are developed and implemented. Among the positive examples we observed at the CRA are the creation of the IPS and CASPR teams. Both play pivotal roles in the CRA’s organizational-wide response to UUTPs, and are key players in the Agency’s breach response.
138. That said, we found shortcomings in the CRA’s governance in this area.
     • There is no single centralized repository of taxpayer personal information, nor is there one for tracking and reporting information related to UUTPs. We note that IPS relies on six different systems with different functions and features, some of which rely on manual inputs in unstructured formats (e.g., notepad entries across multiple platforms). Relatedly, when the CRA suggested providing the OPC a data sample in response to the OPC’s request for information related to the breaches, a key consideration was the level of effort required by the CRA to manually collect the information for each sample. As the CRA explained, “the tracking of individual UUTP breaches is a manual process, which is not regulated by an enterprise system.”
     • There is no single, overarching, centralized team responsible for coordinating the detection and response to all security events flowing from all threat sources. Rather, different types of threats filter through different teams, processes and/or technology.
       1. During this investigation, we asked the CRA whether it had a single team responsible for a centralized security function, such as a security operations centre. It noted the following two teams: the Agency Operations Centre and the Cyber Security Operations Division. The former provides a central security reporting service to CRA employees, with a mandate to support the CRA’s capacity to effectively cope with, adapt to, and recover from security incidents, threats and emergencies (excluding UUTPs). The latter is responsible for monitoring, detecting and responding to cyber events and threats which may impact the confidentiality, integrity and availability of CRA information and information technology (IT) assets, and also supports information management (IM) and IT risk management by reviewing the threat environment, identifying events of interest and working with stakeholders to contain and respond to incidents.
       2. The CRA also reported that, following our 2024 investigation report, it created a dedicated Security Branch to centralize all internal security functions (e.g., cyber security, information security, business continuity) under one governance structure with centralized accountability and decision making.
       3. While the creation of these dedicated units is a positive step, it does not amount to the fully centralized team described above, which would have as its operational mission real-time, 24/7 technical monitoring and threat response.
     • The CRA has several systems and entry points, supporting the variety of programs and services it offers to Canadians, through which individuals can access and modify their personal information. As discussed above, the CRA experienced challenges in providing the OPC information about entry points during this investigation.
     • While the CRA deals with fraud prevention and cybersecurity separately, there is increased evidence of collaboration between the two. We would expect that, to the extent that their tools and capabilities can be complementary, the CRA would create more alignment between both for example, cybersecurity could enable fraud prevention by leveraging behaviour and trend analysis.
139. We therefore recommend that the CRA:
     
     

     Recommendation 9: within 12 months of issuance of the report of findings, review its governance processes and implement changes that will allow the Agency to address UUTPs in a coordinated, comprehensive and efficient manner, regardless of the compromised entry point.

140. The CRA accepted this recommendation and expressed its commitment to strengthen its governance process to ensure that UUTPs are addressed in a coordinated, comprehensive and efficient manner. It noted that presently it has multiple governance structures in place to support this, including committees at the Board of Management, Assistant Commissioner, and Director General levels. Furthermore, the CRA Threat Playbook and External Breach Playbook outline the CRA’s efforts to holistically protect the integrity of CRA accounts from external fraud threats and incidents. The CRA submitted that these Playbooks demonstrate how CRA-wide responses are currently coordinated and handled across all business lines using various strategies and explain how decisions are made and issues are escalated.

Conclusion

141. Since 2020, the CRA has experienced a large volume of breaches that resulted in unauthorized accesses and modifications of taxpayers’ information, which represent contraventions of subsections 6(2) and 8(2) of the Act. The CRA fully accepted 8 of the OPC’s 9 recommendations and partially accepted one. Therefore, we find the complaint well-founded and conditionally resolved.
142. Overall, we acknowledge the CRA’s efforts over the last five years to improve its security posture following the OPC’s investigation that looked into a related issue. Nevertheless, we are of the view that more actions should be taken to ensure that the Agency has in place a coordinated, proactive approach to protecting taxpayers’ accounts against UUTPs.
143. This investigation uncovered a number of factors that impacted the CRA’s ability to prevent and respond to UUTPs, including:
     • lack of root cause analysis for individual UUTPs that are not part of complex schemes, resulting in the CRA lacking intelligence about bad actors’ tactics and about the vulnerabilities of compromised entry points.
     • gaps in tracking UUTP details, including when and how they occur.
     • a complex and widely distributed attack surface: taxpayers can access their accounts through several entry points and various authentication processes, some of which involve external stakeholders. This enhanced convenience for legitimate taxpayers is correlated with more opportunities for bad actors.
     • limited visibility and control over entry points involving external stakeholders: the CRA’s security posture is only as strong as the weakest point in its own system or that of external stakeholders used to access CRA accounts.
     • fragmented and reactive approach to address UUTPs: the CRA’s overall strategy focused on isolated solutions rather than a systemic, coordinated and proactive response.
144. We encourage the CRA to amplify its efforts to collaborate across the organization to better position itself to protect the sensitive, valuable personal information it holds for all Canadians and to maintain their trust.
145. Notwithstanding our recommendations, we want to highlight the professionalism, commitment and cooperation of the CRA’s employees that we have interviewed and interacted with. They are dedicated to protecting Canadians against identity theft, which we recognize to be extremely complex and caused by uncommon bad actors’ tactics.

Appendix: Summary of the OPC’s Recommendations and the CRA’s responses