Hackers Used Stolen Canadian Taxpayers' Credentials to Steal $6 Million, Investigation Reveals

The Canada Revenue Agency (CRA) has discovered that hackers obtained hundreds of people's CRA credentials and eventually stole $6 million from bogus refunds. 

Getting access to people's CRA accounts might sound like it won't do much good to hackers. Besides obtaining personal data, including user names and passwords, it's not like breaching a banking account. But the reality is very different, and the attackers knew what they were doing. 

According to an investigation by CBC's The Fifth Estate and Radio-Canada, the data breach originated with a third-party service provider, H&R Block, which is a tax preparation company. 

The operation was very complex. Criminals used the stolen credentials to access Canadian citizens' accounts, change the direct deposit information, and then submit false returns. They defrauded the public finances by $6 million from fake refunds. 

"Hackers had obtained H&R Block e-filing credentials provided by the CRA — in essence the confidential electronic keys used by the firm's accountants to file returns on behalf of taxpayers," the investigation revealed.

The natural question is how they get the information in the first place. The investigation revealed a data breach at H&R Block. The firm has vehemently denied that it was the origin of the data breach, saying that it performed a comprehensive investigation that eventually concluded no "data, systems, software and security" had been affected. 

On the other hand, the CRA could not pinpoint the hackers who used the stolen information or their origin. Moreover, The Fifth Estate and Radio-Canada's investigation also showed that affected taxpayers hadn't been informed about this data breach. According to the CBC, a total of 71 data breaches at the CRA in the 2023 fiscal year were reported to Parliament. 

Making matters worse, the CRA reported 31,468 between March 2020 and December 2023, which affected around 62,000 Canadians. The bigger problem is that those 31,468 privacy breaches have been reported retroactively. 

The ordinary course after a data breach is to inform taxpayers and offer them credit protection, but that's difficult to do if the data breach isn't acknowledged in the first place.