Cyber incidents

The protection of the personal information of Canadians is a priority for the Canada Revenue Agency (CRA). The confidence and trust that individuals and businesses have in the CRA are the cornerstones of Canada's tax system. 

The CRA is cooperating with the RCMP in its ongoing investigation into recent cyber incidents. As the investigation continues, we must be mindful not to share information about the specific nature of the attacks, or of the security measures taken to address them, so as not to jeopardize the work of the RCMP investigators. The Office of the Privacy Commissioner has also been informed of this incident, and continues to be updated.

The CRA understands the difficulties and frustrations caused to Canadians by the recent cyber incidents. In order to protect Canadians from fraud and potential impacts of identity theft, the CRA has rigorous verification procedures.

We recognize that restricting access to CRA accounts is disruptive to Canadians, and we regret the inconvenience that these necessary precautions have caused for Canadians. We are committed to assist those affected by these cyber incidents. Individuals whose accounts have been compromised will receive a letter from the CRA explaining how to confirm their identity and reactivate their account. They will also be offered credit protection services free of charge. 

We are continuing to work with our government counterparts, including the Canadian Centre for Cyber Security and the Treasury Board of Canada Secretariat, to respond to the recent attacks on the CRA's online systems. To prevent access with other online government accounts, the link between the CRA's My Account and My Service Canada Account continues to be disabled.  

As the forensic analysis related to the recent cyber incidents continues, the updated numbers being provided today represent the latest available information at this point in time, and are subject to change as the investigation continues. 

Of the more than 14 million CRA user accounts, the CRA has identified suspicious activities on approximately 48,500 accounts as a result of the cyber incidents. This number stood at 5,500 on August 15, 2020, but has evolved as a result of the ongoing forensic analysis. All of these 48,500 accounts have been locked to prevent any additional unauthorized access and/or fraud on them. As well, measures are in place to identify high risk accounts and prevent any potentially suspicious applications from being made. The mitigation measures put in place have proven to be effective. We are in the process of contacting affected individuals by registered mail with instructions on how to confirm their identity and reactivate their account. In some cases, applicants may be asked to call the CRA before receiving their next benefit payment and supporting documents may be requested.

Safeguards have been placed on affected accounts and all valid emergency benefit payments will be issued. The CRA will work with individuals affected by identity theft or fraud to help ensure they are not held liable for fraudulent claims and payments made by fraudsters using their account. They will also be offered credit protection services free of charge. 

Despite the CRA's actions to combat scams, identity theft happens every year, and cyber incidents are a regular occurrence. Scammers acquire  personal information through a variety of means, such as phishing scams and data leaks or breaches stemming from organizations outside the CRA. As scammers adapt their practices, so does the CRA. The CRA routinely monitors accounts for suspicious activity to detect, prevent and address potential instances of fraud and identity theft, whether or not this activity is related to cyber-attacks. The CRA combines advanced data analytics and business intelligence gathered from many sources, including law enforcement agencies, financial institutions, and leads to support these efforts. 

The recent cyber incidents used credential stuffing, where passwords and usernames collected from previous hacks in other organizations are entered to access CRA accounts. To help lower the risk of being affected by these kinds of cyber incidents, all Canadians are strongly encouraged to avoid using the same passwords for different systems and applications. 

There are additional features that Canadians can take advantage of to help enhance the security of their accounts. The CRA urges all CRA online account users to enable “Email notifications”. This service notifies taxpayers, by email, of changes to their CRA accounts. These notifications act as an early warning to Canadians of potential fraudulent activity on their account. Canadians who receive these alerts, but have not authorized any changes, should contact the CRA at 1-800-959-8281 (English) or 1-800-959-7383 (French) to take steps to rectify the situation. We have dedicated employees at our call centres and are prioritizing calls from victims of fraud and identity theft. 

For more information on how to increase the security on your account or to report suspicious activities, along with updates on the cyber incidents, please visit the CRA Fraud and Identity Theft Web pages. 

As many Canadians rely on our online services, the CRA is working quickly and diligently to continue delivering services without interruption. 

Associated links

• August 15, 2020: Statement from the Office of the Chief Information Officer of the Government Canada on recent credential stuffing attacks
• September 17, 2020: Update from the Office of the Chief Information Officer of the Government Canada on recent cyber attacks

-30-