Cyber Month: How the Canada Revenue Agency protects your information

As we approach the end of this year’s Cyber Month, the Canada Revenue Agency (CRA) is reiterating the importance of safeguarding personal information from ever-evolving cyber security threats.

The security of taxpayer information is of the utmost importance for the CRA and we are continually enhancing our security measures to help prevent unauthorized access to taxpayers’ information:

• Multi-factor authentication

  The CRA implemented multi-factor authentication (MFA) as a mandatory enhanced security measure for all individuals, businesses, and representatives who access the CRA sign-in services. Individuals are required to enter a one-time passcode every time they access the CRA sign-in services. For registration and more information, visit the multi-factor authentication web page.

• Revoking at risk CRA user IDs and passwords

  To help prevent incidents of unauthorized access and safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been obtained by unauthorized parties that are external to the CRA. As a preventative measure, the CRA revokes the identified CRA user IDs and passwords, and provides impacted individuals with the information they need to regain access to their account.

• Identity Protection Services

  The CRA established a dedicated Identity Protection Services (IPS) program to provide a single point of contact for individual taxpayers to resolve identity theft concerns. The IPS program reviews all cases of potential identity theft, dealing directly with identity theft victims to ensure that their taxpayer account is restored and remains protected from unauthorized activity.

• Mandatory email on file

  My Account users are required to have an email address on file with the CRA to help protect their accounts from fraudulent activity. This security feature allows individuals to receive email notifications when changes have been made to their account, including changes to their address and direct deposit information. If a user has received an email that an update has been made to their account, but they have not authorized any changes, they should contact the CRA immediately.

As scammers adapt their practices, so does the CRA. We regularly adjust and improve our security measures to safeguard sensitive information against ever-evolving threats and ensure a multi-layered approach to protect our systems from threat actors. The CRA regularly performs security assessments, such as vulnerability scanning, penetration testing and security risk assessments on the CRA’s digital services.

Protecting accounts and informing taxpayers

The rise in fraud and identity theft is a global trend. In Canada, the Canadian Anti-Fraud Centre has reported a rise in reported scams and fraud. Internationally, responses to these rising trends include the Joint Chiefs of Global Tax Enforcement convening a special working group targeting cybercrime. This is also a key area of focus for the OECD (Financial consumer protection|OECD).

Since 2020, there has been an increase in the number of identity theft cases and unauthorized use of taxpayer information by a third party (UUTP). This appears to be driven by data breaches at third-party organizations enabling threat actors to obtain user credentials, the introduction of new or revised benefits administered by the CRA, and increased risks from social media, e-commerce, digital services, and cryptocurrencies, which offer new avenues for exploitation. Since the CRA began tracking cases of UUTP affecting individuals from May 11, 2020, to August 26, 2024, there have been more than 31,000 confirmed privacy breaches.

It is important to note that as soon as the CRA becomes aware of an alleged incident of identity theft, or suspects an account could be the target of a threat actor, it takes swift and immediate precautionary measures on the client’s account, such as locking it to prevent transactions, and conducting an in-depth review. The volume and complex nature of these cases limits our ability to report these breaches to the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat (TBS) immediately upon confirmation. The CRA is working closely with the OPC and TBS on a way forward.

Additionally, after confirming a breach, the CRA contacts the impacted individuals directly to make them aware of the incident, advises them of the measures the CRA is taking to protect their information, and outlines the steps they can take to further protect their account. In cases where a privacy breach may result in an immediate risk to the broader Canadian public, the CRA may choose to alert Canadians so that they can protect themselves from possible harm. For instance, in 2020, the CRA issued a general warning about credential stuffing attacks, and strongly encouraged Canadians to avoid reusing passwords. However, the priority is to notify affected individuals.

How taxpayers can protect their CRA accounts

In addition to the CRA’s ongoing security enhancements, there are several steps Canadians can take to protect their CRA accounts:

• Regularly monitor their CRA account for suspicious activity such as unexpected account changes or benefit applications made without their consent. This practice ensures that any suspicious activity is promptly addressed.
• Regularly change passwords and security questions and ensure they remain confidential. User IDs and passwords should be unique to a CRA account and passwords must be complex so they cannot be guessed.
• Keep contact information (mailing address, email address, phone number) up to date as the CRA contacts taxpayers if suspicious activity is detected on their account.

What to do if a taxpayer’s account has been compromised

If an individual suspects that their CRA account has been compromised due to suspicious activity, they should report the incident to the CRA, inform other authorities (banks, credit bureaus, local police) and notify the Canadian Anti-Fraud Centre. If a taxpayer’s account information has been compromised, the CRA will take action to secure their account.

Contacts

Media Relations
Canada Revenue Agency
613-948-8366
cra-arc.media@cra-arc.gc.ca

-30-