close
close
newpress

Hackers stole $6.6 million through fake tax returns from the Canada Revenue Agency

Posted on by Josh L
Hackers stole .6 million through fake tax returns from the Canada Revenue Agency


Hackers stole .6 million through fake tax returns from the Canada Revenue Agency

Hackers used Canada Revenue Agency personal account information to steal $6.6 million.

A CRA official told INsauga.com that “threat actors” were trying to get $21.5 million.

Fraudsters used H&R Block Canada’s sensitive credentials to hack into hundreds of Canadians’ personal CRA accounts, alter direct deposit information and file false returns during the 2024 tax season, CBC reports. The fifth power and research by Radio-Canada found.

In this particular case, the hackers tried to collect $21.5 million in bogus refunds, but the CRA intercepted $14.9 million, resulting in a $6.6 million loss, the CRA told INsauga.com.

In total, the CRA has blocked $157 million, the spokesman said.

H&R Block Canada is one of many third parties that hold the credentials, and the CRA said it works with those companies to provide taxpayer information when it is compromised.

H&R Block told the CBC that they investigated and found that none of its systems were breached and that the taxpayers affected were not H&R Block customers.

The CRA did not say who hacked the data or where it came from.

The CRA said it takes the necessary security measures in the event of unauthorized use of taxpayer information by a third party.

“This includes contacting affected individuals directly to inform them of the incident, inform them of the steps the CRA is taking to protect their information, and outline the steps they can take to further protect their account,” said spokesperson in an email. statement.

In the event of a privacy breach affecting the general Canadian public, the CRA may decide to issue a public notification. In 2020, the CRA issued a general warning about credential attacks and strongly urged Canadians to avoid reusing passwords.

Since 2020, the number of cases of theft of personal data and unauthorized use of taxpayer information by a third party has increased significantly, the report says. These incidents occurred after the announcement of emergency benefits due to COVID-19.

“Later that year, the CRA also saw a marked increase in external data breaches and cyber threats as external threat actors sought to take advantage of a unique and lucrative set of circumstances,” the spokesperson said.

At the time, the CRA prioritized account protection, improved security and protection measures, and outreach to affected taxpayers, the CRA said.

The CRA has confirmed that the following amounts were fraudulently paid to individual accounts related to the unauthorized use of taxpayer information by a third party. These numbers only take into account T1 returns and COVID benefits:

  • 2020: $181 million
  • 2021: $5 million
  • 2022: $0.4 million
  • 2023: $2 million
  • 2024: $3 million (as of October 4, 2024)

“The sharp reduction in these numbers after 2020 demonstrates that CRA systems are detecting and stopping fraudulent claims before they are paid,” the statement said.

The CRA is working with Public Services and Procurement Canada to recover funds from financial institutions that have been released as a result of the unauthorized use of taxpayer information by a third party.

From March 2020 to December 2023, reports of 31,468 breaches to the Canadian Parliament were delayed due to the lack of a process for reporting these types of privacy breaches and prioritizing the protection of accounts and counseling of affected taxpayers, the CRA said. There were also difficulties in contacting taxpayers to confirm the violation.

The CRA said it is constantly improving security measures, technologies, processes and controls to ensure the safety of taxpayer information.

Security measures include multi-factor authentication across all CRA login services and proactive revocation of user IDs and passwords that may have been obtained by unauthorized third parties through various external sources.

“Protecting taxpayer information remains one of our highest priorities,” the spokesperson said. “While we acknowledge our robust security controls, we, like many large organizations, are not immune to privacy breaches, and we understand that this can cause concern and frustration for those affected.”

They proactively detect, report, and remediate external fraud and unauthorized third-party use of taxpayer information.

“If we suspect that an account is the target of an external threat, we take quick and immediate precautionary measures against the taxpayer’s account, such as locking it to prevent transactions, conducting in-depth checks and contacting individuals,” the statement said. “If a breach of privacy is confirmed, the CRA formally notifies the affected individuals and provides credit protection, where appropriate, free of charge to them.”

Taxpayers who are confirmed victims of identity theft are not responsible for any money paid to the fraudsters, or for any penalties or interest associated with the fraudulent claims, the spokesman said.

For more information on protecting personal information from external threats, see government website here.

INsauga Editorial Standards and Policies