Canada’s Privacy Watchdog Demands Urgent Action After 45,000 Tax Account Breaches
Canada’s privacy watchdog has issued a strong warning to the Canada Revenue Agency. The agency must urgently upgrade its cybersecurity systems. This call comes after nearly 45,000 tax accounts were breached since 2020. The breaches exposed sensitive personal and financial information of Canadian taxpayers.
The Office of the Privacy Commissioner of Canada released a detailed report. It found that cybercriminals used stolen credentials to access taxpayer accounts. These credentials were often obtained from data breaches at other companies. Once inside, criminals changed account details. They also filed false tax returns and claimed benefits they were not entitled to.
How the Breaches Happened
The report explains that the attacks were not highly sophisticated. Criminals simply used usernames and passwords stolen from other websites. Many people reuse the same passwords across multiple accounts. This made it easy for hackers to break into CRA accounts. Once inside, they could see past tax returns, direct deposit information, and social insurance numbers.
In some cases, criminals changed the direct deposit details. This allowed them to redirect tax refunds and benefit payments to their own bank accounts. The CRA detected many of these fraudulent activities. But by then, the damage was already done. Victims faced delays in getting their legitimate refunds. Some had to spend months proving their identity to the agency.
Scale of the Problem
The privacy commissioner’s report states that over 42,000 accounts were compromised between March 2020 and December 2021. Since then, the number has grown to nearly 45,000. That means thousands of Canadians had their personal data exposed. Many victims reported identity theft and financial loss. Some even had their accounts locked by the CRA to prevent further fraud.
For example, one victim discovered that someone had filed a false tax return in their name. The criminal claimed a large refund. The real taxpayer only found out when they tried to file their own return. They had to contact the CRA and provide proof of identity. It took weeks to resolve the issue.
What the Watchdog Wants
The privacy commissioner’s report makes several recommendations. First, the CRA must implement stronger authentication methods. This includes multi-factor authentication for all accounts. Multi-factor authentication requires a second step, like a code sent to a phone. This makes it much harder for criminals to break in even if they have the password.
Second, the CRA should monitor for suspicious activity more closely. For example, if someone logs in from an unusual location or changes banking details, the system should flag it. Third, the agency must improve its response time when breaches are detected. Faster action can limit the damage.
New Security Measures Being Implemented
The CRA has already started making changes. It now requires multi-factor authentication for many users. It also uses advanced analytics to detect unusual patterns. The agency says it is working to protect taxpayer information. But the privacy watchdog says more needs to be done. It calls the current situation “urgent” and warns that delays could lead to more breaches.
What This Means for Taxpayers
For ordinary Canadians, this news is a reminder to protect their online accounts. Using strong, unique passwords for each account is essential. Enabling multi-factor authentication adds an extra layer of security. Taxpayers should also monitor their CRA accounts regularly. If they see anything unusual, they should report it immediately.
The CRA has set up a dedicated line for breach victims. It also offers credit monitoring services in some cases. But the best defense is prevention. As the privacy watchdog makes clear, the CRA must act fast. Taxpayers deserve to know their personal information is safe. Until then, everyone should stay vigilant.

