Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Chronology of Events – CRA Breach Reporting (UUTPs)

Background

The CRA responds to a variety of privacy breach events, which they divide into different categories referred to as "workloads". The focus of this chronology relates to breaches that the CRA identifies as ‘UUTPs’ (unauthorized use of taxpayer information by a third-party).

UUTP breaches typically happen when a threat actor gains access to an individual’s personal information through CRA’s online services by using compromised credentials, or by calling the CRA and impersonating a taxpayer. Threat actors aim to effect changes to an individual’s account to take certain actions, such as redirecting benefit or refund payments to another bank account.

The UUTP workload is further split into three:

  • UUTP individual, which is a privacy breach on an individual taxpayer account.
  • UUTP business, where business accounts are compromised resulting in the personal information of individuals associated with those accounts (employees, directors, representatives) are the subject of the privacy breach.
  • UUTP complex cases, which generally points to a wider scheme and could impact multiple business and/or individual accounts.

CRA’s reporting of UUTP breaches appears to stem from our Office’s engagements with CRA in the context of two investigations (the GCkey – credential stuffing – investigation, and a second investigation that resulted from an individual taxpayer complaint). The CRA has been cooperative and responding to our questions regarding the causes, impacts, span, remedies, etc. relating to these breaches. However, the data is complex and still needs to be unpacked. The recently launched investigation will aim to do so, while assessing whether the CRA was compliant with its obligations under the Privacy Act.

Related Investigations into CRA

In February 2024, the OPC concluded its investigation into credential stuffing incidents that impacted CRA and ESDC in 2020, which it made public in a Special Report to Parliament. At the end of that investigation, CRA advised the OPC of 15,000 unreported fraud-related breaches dating back to 2020.

The OPC’s recommendations to the CRA following the credential stuffing investigation included:

  • improving its communications and decision-making frameworks to facilitate a rapid response to attacks; and
  • developing comprehensive incident-response processes to prevent, detect, contain, and mitigate future breaches, including by conducting regular security assessments.

We note that CRA has been working to implement these recommendations since they were issued to them, and that they have made good progress. The OPC has been monitoring their implementation and in CRA’s last update dated October 18, 2024, the Agency indicated that it is on track to complete their implementation by February 2025.

Note: while CRA indicated that all recommendations would be implemented in a 12-month window, the OPC had given different timelines for some recommendations; some for 6 months, some for 12 months. Hence the 6-month implementation required for certain recommendations was not met.

(Redacted)

In March 2024, the OPC concluded an investigation into a complaint from a person whose information had been used by an imposter to apply for, and receive, the Canada Emergency Response Benefit (CERB), which was later made public in the OPC’s June Annual Report to Parliament.

This investigation concluded that at the time of the incident, the CRA relied upon inadequate safeguards to protect against unauthorized access to individual accounts and, as a result, a bad actor was able to modify the complainant’s CRA account. The investigation found that the CRA had not taken all reasonable steps to ensure the accuracy of personal information upon which it relied to make administrative decisions, as required by section 6(2) of the Privacy Act.

The investigation also noted that CRA’s breach notification process was lengthy (approximately 2.5 years before it notified the complainant of this breach) and highlighted that the CRA had not reported the complainant’s breach, nor similar breaches, to the OPC.

(Redacted)

Recent Developments

On October 25, 2024, the CRA submitted a breach report for an additional 3,232 UUTP individual material incidents for the period of November 2023 to September 2024.

On October 28, 2024, the Fifth Estate/Radio Canada released results of their investigation, which states that several bad actors or hackers accessed thousands of CRA accounts, changed direct deposit information, submitted false returns and reportedly pocketed tens of millions in bogus refunds.

On October 29, 2024, following the receipt of a complaint, the OPC announced the launch of its investigation into the CRA UUTP breaches.

On November 4, 2024, the OPC (PRPA) received the response to Order Paper Question Q-2954 relating to how many privacy breaches had occurred in federal government departments since March 1, 2023. In it, CRA reported the following:

Part (a): The CRA had 9,068 privacy breaches (impacting a total of 256,978 individuals), of which:

  • 492 were due to security incidents (theft and loss of information, accidental disclosure, etc.) (5.4%)
  • 1,513 were due to misdirected mail (16.7%)
  • 101 were due to employee misconduct (e.g., unauthorized access or unauthorized disclosure) (1.1%)
  • 6,908 were due to UUTP affecting individual accounts (76.2%)
  • 52 were due to UUTP affecting business accounts (0.6%)
  • 2 were discovered following complaints from individuals or the Office of the Privacy Commissioner of Canada (OPC) (0.02%).

Part (b)(vii): The CRA reports all material privacy breaches to the Office of the Privacy Commissioner of Canada (OPC) and TBS in accordance with the mandatory reporting requirement in the TBS Policy on Privacy Protection. Based on TBS policy requirements, 7,046 privacy breaches (77.7%) were, or are in the process of, being reported to the OPC and TBS between March 1, 2023, to September 16, 2024.”

On November 19, 2024, during our monthly call with the CRA, the Agency confirmed that

1) not all breaches counted in its response to the Order Paper Question were material but that 2) those that were deemed material have since all been reported to the OPC (the numbers differ because of the reporting period).

2022 Auditor General Report

On November 21, 2024, during her testimony before ETHI, the Minister of National Revenue, the Hon. Marie-Claude Bibeau, pointed committee members to a 2022 Auditor General Report (the ‘OAG report’) to defend the CRA’s reporting practices of breaches. She explained that, with respect to the 31,000+ incidents reported to the OPC in May 2024, that “this information had already begun to be disclosed” because “23,000 cases had already been made public” in the OAG Report.

Paragraph 10.116 of the Auditor General’s Report 10 states that: “As of July 2022, the agency identified more than 23,000 cases of identity theft in COVID‑19 benefit payments for individuals worth $131 million.” The same paragraph also refers to “payments to 179 business accounts worth $39 million identified as amounts paid as a result of unauthorized access”.

(Redacted)

CRA Numbers at a glance

Numbers Explanations
5,500 From the TBS CIO statement published in August 2020
  • Number of CRA accounts targeted by bad actors who used GCKey to authenticate to ESDC’s accounts and then used the e-link to connect directly to corresponding CRA accounts.
48,500 From the CRA’s breach report related to the credential stuffing attacks
  • Number of potentially affected accounts based on suspicious activity.
  • Received in September 2020
26,000 From the 2020 credential stuffing investigation published in February 2024
  • Number of confirmed compromised CRA accounts resulting from a direct credential stuffing attack against the CRA system between July 26-August 15, 2020.
34,000 From the 2020 credential stuffing investigation published in February 2024
  • Number of affected individuals by a single incident.
  • Not UUTPS and separate from the incidents referenced in the breach reports submitted to the OPC on May 9, 2024, (31,393) and October 25, 2024 (3,232).
15,000 From the 2020 credential stuffing investigation published in February 2024
  • Dating back to 2020, the approximate number of unreported fraud-related breaches that the OPC learned about at the end of the investigation.
  • These are UUTPS and were later reported to the OPC in CRA’s May 9, 2024, breach report.
  • They are part of the 31,393 incidents.
31,393 From the May 9 report (the first CRA Quarterly Report to the OPC)
  • Number of material breaches related to individual UUTPS that occurred, or were detected, between May 2020 and November 2023.
3,232 From the October 25 report (the second CRA Quarterly Report to the OPC)
  • Number of material breaches related to individual UUTPS that occurred, or were detected, between November 2023 and September 2024.
9,068 From Order Paper Question Q-2954 – Part (a)
  • This includes both material and non-material privacy breaches.
  • Those breaches affected a total of 256,978 individuals.
  • It reflects all privacy breaches logged by CRA for the period of March 2023 to September 2024.
6,908 From Order Paper Question Q-2954 – Part (a)
  • Number of individual UUTPS identified for the period of March 2023 to September 2024.
  • These were reported to the OPC and included in CRA’s May 9, 2024, breach report (part of the 31,393).
7,046 From Order Paper Question Q-2954 – Part (b)
  • This number includes the 6,908 UUTP breaches referenced above (7,046-6,908 = 138 difference).
  • It represents the number of material privacy breaches for the period of March 2023 to September 2024; this includes UUTPS and other breaches.
  • All have now been reported to the OPC within the quarterly reports, or in separate reports (see below).
138 Based on data found in Order Paper Question Q-2954
  • Difference between 7,046 material breaches and 6,908 UUTP cases.
  • Represents other material privacy breaches reported to the OPC, outside of the two quarterly reports.
23,000 From 2022 Auditor General Report
  • Number of cases of identity theft fraud for which payments were issued.
  • The audit covered the period between March 15, 2020 and September 30, 2022.
  • These fraud cases were retroactively assessed to be material breaches and reported in CRA’s May 9, 2024, Quarterly breach report – they are part of the 31,393 and not additional fraud cases.
(Redacted) From breach reported submitted by the CRA on May 14
  • (Redacted)
  • The CRA did not name the tax preparer in its breach report, but recently confirmed that it was H&R Block.

CRA historical breach reporting

  • CRA has been one of the top breach reporting institutions in the past years.
    Top 3 reporting institutions
    2024-2025 (to date) 2023-2024 2022-2023
    ESDC (268) ESDC (377) ESDC (196)
    CRA (86*) CRA (71) CRA (30)
    RCMP (14) CSC (20) CSC (14)

    *Excluding UUTP breaches reported on May 9 (31,393 breaches) and on October 25 (3,232 breaches).

  • A large portion of the CRA breaches regularly reported to the OPC (prior to receiving the UUTP breach reports in May and October) were related to employee snooping. In 2023-2024, employee snooping made up 55% of reported breaches by the CRA.
Date modified: