Thousands of Canada Revenue Agency (CRA) accounts have been compromised since 2020, raising serious concerns about cybersecurity and taxpayer privacy. Privacy Commissioner Philippe Dufresne addressed the issue during a news conference in Ottawa on May 6, 2026, emphasizing the need for stronger protective measures.
Scope of the Breach
According to recent reports, over 15,000 CRA accounts were accessed without authorization between 2020 and early 2026. Cybercriminals exploited weak passwords and reused credentials from other data breaches to gain entry. The compromised accounts were used to file fraudulent tax returns and redirect refunds to criminals' bank accounts.
What the Privacy Commissioner Says
Commissioner Dufresne stated that the CRA must do more to safeguard taxpayer information. He called for enhanced authentication methods, such as multi-factor authentication (MFA), and better public education on cybersecurity. "Canadians deserve to have their personal data protected," Dufresne said. "The CRA must act swiftly to restore trust."
How to Protect Your Account
Taxpayers are urged to take the following steps:
- Use strong, unique passwords for CRA accounts
- Enable multi-factor authentication if available
- Monitor account activity regularly for suspicious changes
- Report any unauthorized access to the CRA immediately
What the CRA Is Doing
The CRA has implemented additional security protocols, including blocking suspicious logins and notifying users of unusual activity. However, experts argue that more proactive measures are needed, such as mandatory MFA and real-time alerts for all account changes.
Broader Implications
This breach is part of a larger trend of cyberattacks targeting government agencies. The Privacy Commissioner's office is investigating the CRA's data protection practices and may recommend legislative changes to strengthen cybersecurity laws.
Canadians are advised to remain vigilant and take steps to secure their online accounts. For more information, visit the CRA's security page or contact the Privacy Commissioner's office.
