Tens of thousands of Canadian taxpayers were hacked and millions were stolen

In the middle of the 2024 tax season, the Canada Revenue Agency (CRA) discovered that fraudsters had gotten their hands on confidential information used by H&R Black Canada, a company that generates millions of tax returns each year.

Using codes intended for tax preparers, these fraudsters took control of hundreds of taxpayers' tax accounts, specifically to change the bank account on file.

According to an investigation conducted by the show The Fifth Estate of CBC And through Radio-Canada, these hackers submitted hundreds of false ads and extorted $6 million before the scheme was discovered.

One of the hackers also sent a declaration with a legitimate postal code but put the address on a fake address. Tomato street.

The results of the investigation conducted by CBC/Radio-Canada, criticized tax expert Andre Lauro's vulnerabilitiesbow In the background of increasing computer attacks.

The alarm system was not working when the robbers entered the bankAssociate Professor of Law at Laval University explained.

According to our sources, thebow In April traces of a new tax fraud scheme were discovered on the underground web.

Hackers boast of having identifiers for electronic transmission of declarations provided bybow on the H&R block. Essentially, these are secret electronic codes used by company professionals to generate returns on behalf of their clients.

l'bow It was later realized that she had made several false refunds to unrelated taxpayers…but shared the same bank account.

Auditors ofbow The perpetrators ended the scheme after receiving $6 million in reimbursements and additional demands for $14 million.

Radio-Canada and The Fifth Estate Sources who are not authorized to speak publicly about these files have been granted confidentiality.

An undisclosed leak

In a written response, H&R Block said there was no indication of a leak from its computer systems.

The company states that a A deep internal investigation It was concluded that under no circumstances ITS DATA, SYSTEMS, SOFTWARE AND SECURITY MEASURES No compromise.

Open in full screen mode

H&R said there was no indication its own customers were among the taxpayers affected by the black leak.

Sources saybow In addition to informing the Office of the Minister of Revenue, press lines were prepared in the spring to be ready to respond to requests for information on the scheme.

The Canadian public, however, was not informed in advance of the situation.

The Minister of National Revenue, Marie-Claude Bibeau, declined an interview request CBC/Radio-Canada on this issue.

Open in full screen mode

Sources saidbow It failed to identify the hackers, but ruled out a breach of its own systems or the possibility of insider involvement.

Hence the identity and origin of the perpetrators of the scheme is unknown.

Huge increase in reported violations

In a series of annual reports submitted to Parliament, the Office of the Privacy Commissioner reported only 113 privacy breaches in total.bow In fiscal years 2020 to 2024.

In response to questions from CBC/Radio-Canada, Thebow It now admits to 31,468 privacy breaches between March 2020 and December 2023, directly affecting 62,000 Canadian taxpayers.

According to our sources, many auditors and investigators fear that the public is losing faith in the federal agency charged with protecting taxpayer money and personal information.

According to tax expert André Lauro, a parliamentary committee should launch a study to determine the extent of the problem and get answers.bow and the responsible minister.

They need to say exactly what happened and how much money is at stakeHe declared.

Open in full screen mode

Conservative MP Pierre Paul-Has condemned the government's silence.

They hide information from the public and members of parliamentHe said in an interview. We need to know what happened at the Canada Revenue Agency and especially why they hid information from Canadians.

The Office of the Privacy Commissioner defended the decision not to disclose the huge increase in privacy breaches in an annual report to Parliament in June.

The office explainedbow After the end of the financial year 2023-2024, information on the increase in the number of cases has been sent and these new cases will be part of the next annual report.

Commissioner Philippe Dufresne declined an interview request on the issue.

For its part, thebow After investigating and confirming 31,468 privacy violations, it reported them retrospectively.

In response to questions from The Fifth Estate And Radio-Canada, the agency announced a Significant increase in external data breaches and cyber threats where Unauthorized third parties Accessed Canadians' accounts, changed, submitted direct deposit information Fraudulent tax information slips and filed false tax returns.

Open in full screen mode

l'bow It said that when there is a violation, the taxpayers will be notified directly and they will benefit Credit protection if required And she takes it Very seriously Protecting Canadians' tax information.

l'bow She did not explain how or when she learned that the number of privacy breaches was significantly higher than the figures provided to Parliament.

In response to our questions, thebow It said a total of $190 million in payments had been issued in connection with the cases Confirmed Fraud related to privacy breaches from 2020.

Most of these amounts were granted in 2020, at the start of the Covid-19 pandemic. Amounts experienced since a Big discountRepresents the agency.

l'bow It adds that it transferred a total of $3 million to fraudsters in 2024, which is less than the amounts lost to the scheme based on H&R Black data. According to our sources, however, thebow An evaluation of many suspicious files that have not yet been treated as confirmed cases of fraud must be conducted.

H&R Block: No exception

According to sources, recent frauds illustrate the extentbow A host of tax frauds are engaged, underfunded and outsmarted by hackers and scammers who take advantage of the inability to detect them.

l'bow Processing reimbursement requests and living with the consequences of its policy Ask questions latersources suggest.

Andre Lauro explainedbow Proud of its agency image Efficient Who processes taxpayer files? as soon as possible.

However, this approach creates loopholes that allow fraudsters to thrive, sources said The Fifth Estate and on Radio-Canada.

Sources saybow Banks don't always share sensitive information with financial institutions, even when they suspect fraudsters are using one of their accounts.

Open in full screen mode

Sources said the agency is worried that a lack of internal communication is slowing down the hunt for hackers.

l'bow A significant increase in private data breaches dates back to 2020 and the introduction of new COVID-19 emergency benefits. The agency said it responded by providing more protection for individual taxpayer accounts and protecting its online services.

In his written statement, thebow pointed out that Processes and procedures are in place to respond quickly and mitigate threats to taxpayer information and accounts In case of violation.

As fraudsters adapt their methods,bow That's what it doesAn agency spokeswoman, Kim Thiefault, announced.