Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds

Hackers Exploit H&R Block Credentials to Steal Millions from Canadian Taxpayers

During this year’s tax season, the Canada Revenue Agency (CRA) discovered that hackers had accessed sensitive information from H&R Block Canada, one of the country’s largest tax preparation firms.

Using the company's confidential credentials, the attackers gained unauthorized access to hundreds of Canadians' CRA accounts, altering direct deposit details, filing false tax returns, and stealing more than $6 million in fraudulent refunds, according to an investigation by CBC's The Fifth Estate and Radio-Canada.

In one instance, the hackers submitted a return using a legitimate postal code but a fabricated address on a non-existent "Tomato Street."

“Obviously, the door is open, and some people are infiltrating the system,” said André Lareau, a tax professor at Laval University. “But the CRA does not seem to have found the key to lock the door.”

The CRA reportedly informed Revenue Minister Marie-Claude Bibeau’s office of the breach and prepared media responses in case the incident became public. However, no official alert was issued.

H&R Block denied responsibility, stating, “A comprehensive internal investigation concluded that none of our data, systems, software, or security had been compromised.” The firm added it had no reason to believe the affected Canadians were its clients.

The CRA confirmed it could not identify the hackers but ruled out breaches of its own systems or insider involvement, leaving the source and origin of the attack unknown. Both the revenue minister and CRA declined to respond to further inquiries.

Surge in Privacy Breaches Overwhelms CRA

The investigation by The Fifth Estate and Radio-Canada revealed that the H&R Block breach is just one example of the many cyberattacks plaguing the CRA. Concerns are growing that these breaches could erode public trust in the agency’s ability to protect taxpayer information.

Between March 2020 and December 2023, the CRA reported more than 31,468 "material" privacy breaches, affecting 62,000 taxpayers. In comparison, just 71 breaches were reported in the fiscal year ending March 2024, according to a June report from the Privacy Commissioner.

The Privacy Commissioner, Philippe Dufresne, declined an interview, explaining that the CRA provided the updated breach data after the March 2024 reporting period. The new figures will appear in next year’s report.

Critics argue that Parliament was left in the dark about the full scale of these breaches, with Lareau calling for a parliamentary inquiry to uncover the extent of the issue and compel accountability. “They all should tell exactly what happened [and] how much money is involved,” Lareau said.

Systemic Fraud and Internal Challenges

The CRA admitted in its response to the investigation that scammers used stolen information to change banking and address details, file fraudulent returns, and generate bogus tax slips. In one case, auditors discovered multiple fraudulent refunds directed to the same bank account.

Sources said the agency’s “pay and chase” policy—prioritizing quick refunds with audits only later—creates vulnerabilities for fraud. The CRA’s rush to issue refunds, intended to maintain an image of efficiency, has given scammers opportunities to exploit the system.

In 2020, amid a wave of cyberattacks during the pandemic, the CRA mistakenly paid out more than $190 million in fraudulent refunds. Although the CRA claims recent improvements have reduced fraud, sources revealed that a backlog of suspicious cases remains unresolved.

The CRA said it identified the misuse of H&R Block’s e-filing credentials—used by accountants to submit tax returns on behalf of clients—after finding stolen data offered for sale on the dark web in April. The stolen credentials enabled hackers to access taxpayer accounts and redirect refunds.

According to the CRA, it prevented an additional $14 million in fraudulent payments but still lost over $6 million in 2024 due to the H&R Block breach alone—contradicting the agency's earlier statement that only $3 million in fraudulent payouts occurred that year.

CRA Struggles with Communication and Fraud Prevention

Sources noted that internal communication issues and a lack of coordination with financial institutions hindered the CRA’s efforts to track and stop fraud. Even when the agency suspected fraud involving specific bank accounts, key information was not always shared with the relevant institutions.

The CRA acknowledged the challenges posed by the surge in cyberthreats and said it has introduced enhanced protections for taxpayer accounts. Spokesperson Kim Thiffault stated, "Processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts."

“As scammers adapt their practices, so does the CRA,” Thiffault added, emphasizing the agency’s commitment to safeguarding Canadians' tax information. However, the backlog of suspicious cases continues to raise concerns about the CRA's ability to fully control the situation.