Questions? Call 416-367-4222
Contact a Tax Lawyer
Laptop on a wooden table with a blue screen displaying the text “Account Hacked.”

Published: June 5, 2026

Overview: Privacy Commissioner Finds Serious Deficiencies in CRA Security Practices

The Office of the Privacy Commissioner of Canada (“OPC”) recently released a significant report concerning widespread unauthorized access to taxpayer information held by the CRA. The report concluded that the CRA contravened provisions of the federal Privacy Act after tens of thousands of taxpayer accounts were improperly accessed or modified by unauthorized third parties between 2020 and 2023.

According to the OPC’s findings, more than 42,000 confirmed individual breaches were reported involving unauthorized access to sensitive taxpayer information. The breaches included situations where attackers gained access to CRA accounts, altered account details, redirected government benefits, and submitted fraudulent claims using stolen taxpayer identities.

The investigation represents one of the most significant findings ever issued against the CRA concerning taxpayer privacy protection and cybersecurity safeguards.

What the Privacy Commissioner Found About CRA Security Weaknesses

The OPC concluded that the CRA failed to adequately safeguard highly sensitive taxpayer information. The report identified several systemic deficiencies in the CRA’s cybersecurity and breach management practices, including:

  • Delays in implementing mandatory multi-factor authentication (“MFA”)
  • Use of weaker authentication methods instead of stronger industry-standard protections
  • Inadequate monitoring and detection systems
  • Insufficient visibility into how attackers gained access to taxpayer accounts
  • Incomplete breach tracking systems
  • Reactive rather than proactive cybersecurity governance
  • Failure to conduct sufficient root-cause analyses for many individual breaches

The OPC specifically noted that many unauthorized access incidents were discovered only after taxpayers themselves reported suspicious activity.

The report also emphasized that the CRA holds extraordinarily sensitive personal and financial information, making it an attractive target for cybercriminals and identity thieves.

How CRA Account Breaches Typically Occur

The OPC investigation examined several methods used by attackers to compromise taxpayer accounts. Common attack vectors included:

Credential Stuffing Attacks

Credential stuffing occurs when attackers use usernames and passwords stolen from unrelated data breaches to attempt access to CRA accounts. Because many individuals reuse passwords across multiple platforms, attackers can often gain access when taxpayers fail to use unique credentials.

Social Engineering and Phone-Based Fraud

Attackers sometimes impersonate taxpayers during telephone interactions with CRA representatives. Weak identity-verification processes may allow fraudsters to reset account credentials or alter account information.

Compromised Financial Institution Credentials

Some unauthorized access incidents involved vulnerabilities associated with linked financial institution credentials and external authentication systems.

Fraudulent Tax Return Filings

The report also examined schemes involving fraudulent tax return submissions and unauthorized modifications to taxpayer accounts.

Why CRA Privacy Breaches Matter for Canadian Taxpayers

The financial and personal consequences of unauthorized CRA account access can be severe. Taxpayers affected by these breaches may experience:

  • Identity theft
  • Fraudulent benefit applications
  • Redirected tax refunds
  • Unauthorized changes to direct deposit information
  • Fraudulent tax filings
  • Delayed legitimate refunds or benefits
  • Significant psychological stress
  • Long-term credit and financial complications

The OPC specifically recognized that victims can spend years dealing with the consequences of identity theft arising from CRA-related breaches.

See also
Another Historical Development in Claiming Negligence Against the CRA: Myers v Canada (Attorney General), 2022 BCCA 160

These concerns are particularly important because CRA accounts contain highly sensitive information, including:

  • Social Insurance Numbers
  • banking information
  • employment history
  • tax filings
  • benefit payment details
  • family information
  • business records

CRA Accepted Most Privacy Commissioner Recommendations

The OPC issued nine recommendations to improve CRA cybersecurity practices and breach response systems. The CRA accepted eight recommendations in full and one recommendation in part.

The CRA has reportedly implemented several improvements, including:

  • Enhanced multi-factor authentication systems
  • One-time passcode protections
  • Improved breach-management processes
  • Expanded monitoring systems
  • Additional governance measures

However, the OPC concluded that further reforms remain necessary because the CRA’s approach still lacks sufficient coordination and proactive oversight.

Federal Court Approval of the Sweet v. His Majesty the King Settlement

The recent OPC findings also arise alongside the Federal Court’s approval of the settlement in Sweet v. His Majesty the King, a class proceeding involving Government of Canada online account breaches affecting CRA “My Account” users and other federal online services during the COVID-19 pandemic.

The litigation concerned allegations that unauthorized third parties gained access to Government of Canada online accounts through credential stuffing attacks and related cybersecurity vulnerabilities between March 2020 and December 2020. The proceeding involved allegations that insufficient safeguards permitted unauthorized access to sensitive taxpayer and personal information, including CRA account data.

The approved settlement applies to affected users of various Government of Canada online systems, including CRA “My Account,” My Service Canada Account, and other GCKey-linked services. The litigation also involved allegations that compromised accounts were used to facilitate fraudulent CERB and CESB benefit applications.

The Federal Court’s approval of the settlement represents another significant development in the growing legal and regulatory scrutiny surrounding CRA cybersecurity protections, taxpayer privacy obligations, and government authentication systems.

The combination of the OPC findings and the approved settlement in Sweet v. His Majesty the King may increase pressure on the CRA and other federal agencies to strengthen cybersecurity controls, modernize authentication procedures, improve breach detection systems, and implement more proactive privacy safeguards.

Taxpayer Rights Following a CRA Privacy Breach

Canadian taxpayers affected by unauthorized CRA account access may have several potential rights and remedies available depending on the circumstances.

Affected individuals should immediately:

  • Contact the CRA
  • secure their CRA online credentials
  • enable multi-factor authentication
  • review account activity
  • monitor direct deposit information
  • check for unauthorized tax filings or benefit applications
  • notify financial institutions
  • monitor credit reports for suspicious activity

Taxpayers who suffered financial losses may also wish to consult an experienced Canadian tax lawyer regarding potential remedies, CRA administrative relief options, identity-theft issues, and possible civil claims.

Key Takeaways About CRA Privacy Breaches, CRA Account Security, and Canadian Taxpayer Rights

The OPC’s findings highlight the growing importance of cybersecurity and identity protection in Canadian tax administration. The CRA’s online systems contain some of the most sensitive personal and financial information held by the federal government. As cyber threats continue evolving, taxpayers should expect stronger authentication systems, enhanced monitoring, and more proactive breach prevention measures from the CRA.

See also
Taxpayers Succeed in claim of Malicious Prosecution against the CRA: Samaroo v. Canada

The Federal Court approval of the settlement in Sweet v. His Majesty the King further demonstrates that cybersecurity failures involving taxpayer information can create substantial legal, financial, and reputational consequences for government institutions.

Canadian taxpayers should also take proactive steps to protect themselves by using unique passwords, enabling multi-factor authentication, regularly reviewing CRA account activity, and promptly reporting suspicious conduct.

For taxpayers who have experienced unauthorized CRA account access, identity theft, fraudulent benefit claims, or suspicious tax filings, early intervention from an experienced Canadian tax lawyer can help mitigate financial losses and address resulting CRA compliance issues.

Pro Tax Tips

CRA account security should be treated with the same level of caution as online banking credentials. Taxpayers should avoid password reuse across platforms, regularly review CRA account access logs and direct deposit details, and immediately investigate any unexpected CRA correspondence or benefit notifications. Businesses and individuals using tax preparers or authorized representatives should also periodically review authorization permissions within CRA online portals to ensure that only intended parties retain account access.

FAQs

Can someone access my CRA account without my password?

Yes. The OPC investigation found that attackers used multiple techniques, including credential stuffing, social engineering, and exploitation of authentication weaknesses to gain unauthorized access to taxpayer accounts.

What should I do if I suspect unauthorized access to my CRA account?

Immediately change your CRA credentials, enable multi-factor authentication, contact the CRA, review account activity, monitor your financial accounts, and consider consulting an experienced Canadian tax lawyer if fraud or identity theft has occurred.

What is credential stuffing?

Credential stuffing is a cyberattack technique where stolen usernames and passwords obtained from unrelated data breaches are reused to attempt access to other accounts, including CRA accounts.

Did the Privacy Commissioner find the CRA violated privacy laws?

Yes. The OPC concluded that the CRA contravened provisions of the Privacy Act relating to the protection and accuracy of personal information.

Why is the Sweet v. His Majesty the King settlement important?

The settlement highlights the legal and financial consequences that may arise when government cybersecurity protections fail to adequately safeguard taxpayer and personal information. The Federal Court approval of the settlement also reflects increasing judicial scrutiny of government data-protection practices.

Disclaimer: This article provides broad information. It is only accurate as of the posting date. It has not been updated and may be out-of-date. It does not give legal advice and should not be relied on as tax advice. Every tax scenario is unique to its circumstances and will differ from the instances described in the article. If you have specific legal questions, you should seek the advice of a Canadian tax lawyer.

About the Author

Picture of David J. Rotfleisch

David J. Rotfleisch

David J. Rotfleisch, a leading Canadian tax lawyer, is not only a certified specialist in taxation but also a chartered professional accountant. Most recently, David is a pioneer in Canadian crypto taxation.

As of April 2020, he was one of 12 Ontario Certified Specialists In Taxation™.

Learn more about David J. Rotfleisch

We are a Toronto tax law firm with a Canada wide full service income tax law practice.

Get your CRA tax issue solved


Address: Rotfleisch & Samulovitch P.C.
2822 Danforth Avenue Toronto, Ontario M4C 1M1

416-367-4222   OR    SCHEDULE ASSESSMENT

Copyright © 2026 Rotfleisch & Samulovitch Professional Corporation, Taxpage