News release

Privacy Commissioner of Canada investigation into breaches leads to Canada Revenue Agency commitment to improve security measures

May 7, 2026 – Gatineau, Quebec

An investigation by the Privacy Commissioner of Canada has concluded that, while the Canada Revenue Agency (CRA) has taken measures since 2024 to improve its security posture, more can be done to protect taxpayer information from being exploited by bad actors.

In a Special Report tabled today in Parliament, the Privacy Commissioner highlights that there have been more than 42,000 individual breaches at the CRA dating back to 2020 as a result of bad actors gaining unauthorized access to, or modifying, Canadian taxpayers’ information. As a result of accessing or modifying personal information, bad actors are able to redirect or submit fraudulent requests for government benefits, causing financial loss and other significant hardships for legitimate taxpayers.

This investigation follows a 2024 OPC investigation into breaches, that resulted from stolen credentials, following which the Privacy Commissioner had issued recommendations.

The recent investigation noted that gaps remain in the CRA’s prevention, monitoring, detection, remediation, and governance of breaches. Some of the key issues that were identified include the fact that:

• The CRA was not able to provide details of every confirmed breach that it had reported due to limitations in its tracking systems, the overall volume of breaches, and the resources required.
• The CRA did not implement mandatory multi-factor authentication in a timely manner, and once it was in place, it did not consistently rely on the strongest methods considered to be industry best practices.
• The CRA could not adequately explain in all cases how attackers were successful in bypassing the authentication processes to gain unauthorized access to, or modify, personal information.

To address the shortcomings identified during the investigation, the Privacy Commissioner made nine recommendations for improvement, eight of which were accepted in full and one in part by the CRA. This includes improving how the CRA tracks and reports individual breaches and establishing a process for assessing the effectiveness of safeguards in reducing the occurrence of breaches.

The report notes that the CRA has also enhanced its multi-factor authentication system, including by introducing one-time passcodes and other measures to make it more difficult for bad actors to circumvent controls.

Quote

“The Canada Revenue Agency holds highly sensitive and valuable personal information of Canadians, which can make it an attractive target for bad actors. Prioritizing privacy is essential to ensure that appropriately strong safeguards are used in a coordinated, proactive way to prevent breaches and to maintain the trust of Canadians. I am encouraged by the changes that the CRA has already implemented and has committed to implement over the coming months as it continues to address its privacy and data protection practices.”

Philippe Dufresne
Privacy Commissioner of Canada

Related link

• Special report to Parliament: Investigation of unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency

Media contact

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca