Canada Revenue Agency Hit by Massive Tax Fraud, $6 Million Stolen
The Canada Revenue Agency (CRA) faced a significant data breach during the 2024 tax season. Hackers exploited confidential data from H&R Block to gain unauthorized access to taxpayers’ personal accounts. The perpetrators altered banking details and filed fraudulent tax returns, enabling the theft of over $6 million from the budget.
The fraudsters used H&R Block credentials to infiltrate Canadian tax accounts. In the fraudulent returns, hackers provided an actual postal code but fabricated an address on the imaginary “Tomato Street.” The culprits routed funds to shell accounts and manipulated reports to secure tax refunds and credits.
In one instance, multiple unrelated payments were detected being funneled into the same bank account. Timely intervention prevented the theft of an additional $14 million that the fraudsters aimed to siphon.
Despite the scale of the fraud, the CRA and the Ministry of Revenue refrained from disclosing the incident to the public, with officials declining to comment. H&R Block stated its systems were not breached, and an internal investigation confirmed none of its clients were affected. CRA ruled out an internal data leak but has yet to identify the perpetrators or the origin of the attack.
Data protection challenges within the CRA have been escalating since 2020, amid new fraud schemes linked to COVID-19 relief payments. In fact, over the past three years, more than 31,000 similar incidents have surfaced, impacting roughly 62,000 taxpayers.
The CRA attributes the rising number of breaches to the increasing frequency of cyberattacks targeting taxpayer accounts. The agency assured that each affected individual is offered credit monitoring. However, precise data on the scope of the issue remains undisclosed, sparking dissatisfaction among auditors and experts.
Sources within the CRA reveal that the agency operates on a “pay now, verify later” basis, which means it prioritizes prompt refunds, checking for discrepancies only afterward. This approach provides openings for fraudulent activity. Additional problems arise from insufficient coordination within the agency and with banks. Although it’s suspected that specific bank accounts were used in the fraud, the CRA hasn’t consistently shared this information with financial institutions.
The CRA asserts that it is taking measures to protect taxpayers’ data and is adapting its operations to address emerging threats. The agency also claims to have developed protocols for swiftly responding to breaches and preventing further incidents.
