Canada Revenue Agency data breaches: what happened, who was affected, and what changed

What happened

Canada Revenue Agency taxpayer accounts were exploited by malicious actors since at least March 2020, as widely reported from October 2024 onward and documented in Office of the Privacy Commissioner (OPC) investigations. The CRA classifies these events as Unauthorized Use of Taxpayer Information by a Third Party (UUTP)—unauthorized access to, or modification of, confidential tax information to impersonate taxpayers and steer benefits or refunds.

The February 2024 OPC report centered on credential stuffing against CRA My Account. The May 2026 OPC special report widened the aperture: multiple entry points and techniques—including My Account, sign-in partners (financial institutions), telephone services, tax-return channels, EFILE, and Represent a Client—because real-world abuse did not reduce to a single attack pattern.

Scale of compromise

During the acute 2020 reporting window, CRA publicly cited suspicious activity affecting on the order of 48,500 CRA accounts and noted that more than 47,000 individuals had personal or financial information affected—figures often cited in parliamentary and media coverage of that phase.

Separately, in breach reporting to the OPC, CRA submitted quarterly UUTP disclosures. OPC’s May 2026 report states that six quarterly reports totaled 42,755 confirmed individual UUTP breaches (with complex schemes and business UUTPs counted under related Treasury Board reporting rules). An earlier milestone: on 9 May 2024, CRA reported 31,393 individual UUTPs retroactively spanning 11 May 2020 to 9 November 2023, a batch that OPC noted included previously raised CERB-linked cases from the 2024 credential-stuffing investigation thread.

Numbers grow across sources because definitions differ (online ‘accounts’ vs individually counted privacy breaches), retroactive reporting occurred, and forensic identification lagged—normal in large identity-fraud contexts but confusing for the public without labels.

What data was exposed

Depending on the pathway, compromised records could include names, addresses, dates of birth, social insurance numbers, tax and benefit records, banking information for direct deposit, and changes attackers made to divert payments. That combination enables immediate financial theft and long-running identity abuse—why regulators treat CRA holdings as high sensitivity.

How compromises occurred (beyond one slogan)

Credential stuffing remains an important historical explanation for My Account exposure: reused passwords from unrelated leaks remain a staple attack. But OPC’s 2026 investigation stresses CRA could not document how every individual breach occurred—tracking limits began only in 2022, systems struggled with volume, and CRA supplied a statistical sample for OPC review rather than line-by-line forensics for tens of thousands of cases.

That limitation matters legally and practically: without consistent root-cause detail, regulators gauge whether overall safeguards and governance matched risk—not whether each victim could be told a single exploit name.

What the Privacy Commissioner concluded in May 2026

On 7 May 2026, OPC tabled a special report concluding CRA contravened the Privacy Act provisions on accuracy (subsection 6(2)) and disclosure (subsection 8(2)), finding the complaint well-founded and conditionally resolved. OPC issued nine recommendations; CRA accepted eight in full and one in part.

Substantive findings included late rollout of mandatory multi-factor authentication (MFA) for online accounts and, once deployed, MFA methods not fully aligned with strongest industry practice; incomplete attack-surface visibility; reliance on self-reported UUTPs for much detection; patchy root-cause analysis for non-scheme individual breaches; and governance OPC described as not sufficiently coordinated against sustained UUTP pressure.

How this relates to the February 2024 report

The 2024 inquiry targeted credential stuffing against My Account and pushed CRA toward stronger authentication and monitoring. CRA advised OPC in January 2026 that commitments tied to that report were completed. The 2026 report treats that episode as background while examining all vectors—explicitly because attackers adapted beyond stuffing alone.

Chronology (high level)

March 2020 onward: exploitation of taxpayer accounts reported in OPC overview. February 2024: OPC publishes credential-stuffing findings. 9 May 2024: CRA files large retroactive UUTP breach report to OPC. October 2024: intense media coverage; OPC opens new investigation after a complaint; ETHI committee hearings begin; Treasury Board grants CRA permission—requested earlier—to report individual UUTPs quarterly with annual review. 7 May 2026: OPC tables 2026 special report and recommendations.

Legal and financial aftermath

The federal government agreed to a CAD 8.7 million class-action settlement tied to the hack period, with Federal Court approval reported in 2026 (media outlined how funds were allocated among fees and eligible claimants). A settlement is not a criminal verdict and not identical to OPC legal findings—it resolves civil litigation risk while regulators pursue accountability separately.

Operational changes CRA and OPC highlighted

CRA made MFA mandatory for My Account from February 2023 onward (authenticator app, SMS/voice one-time codes, or passcode grid). OPC nevertheless expects strong MFA methods and measurable effectiveness. CRA introduced phone MFA options for agent calls (February 2025) and expanded MFA-style controls into interactive voice response (February 2026). From 24 March 2025, CRA indicated individuals could no longer update direct deposit information by phone alone—only via a CRA account or a financial institution—reducing one social-engineering pathway OPC tied to past abuse.

What Canadians should do now

Use unique passwords for government accounts, complete MFA enrollment, review direct deposit and contact details after any unexpected CRA correspondence, and prefer official portals over links in unsolicited messages. If you suspect account takeover, use CRA’s identity protection channels and document timelines. Expect phishing that weaponizes real regulator headlines.

Bottom line

CRA’s taxpayer-account crisis spans pandemic-era mass compromise figures and a second-generation regulatory story: 42,755 individually counted UUTPs in OPC’s quarterly tallying through the 2026 report, plus Privacy Act breach findings and nine remedial recommendations. Credential stuffing explains part of the history—not the entire threat surface. CAD 8.7 million settles some civil claims; rebuilding trust requires sustained transparency, stronger authentication evidence, and fewer gaps between what happened and what agencies can prove in each case.