Notice of meeting

https://www.ourcommons.ca/documentviewer/en/44-1/ETHI/meeting-140/notice

Opening Remarks

OPENING REMARKS FOR BOB HAMILTON, COMMISSIONER, CANADA REVENUE AGENCY

Standing Committee on Access to Information, Privacy and Ethics

Appearance on privacy breaches involving the Canada Revenue Agency

Ottawa, Ontario

November 21, 2024

Check against delivery.

Mr. Chair, thank you for the opportunity to discuss the Agency’s work regarding unauthorized access to taxpayer information.

I am joined today by the Agency’s Assistant Commissioners: Gillian Pranke (Assessment, Benefit, and Service Branch), Marc Lemieux (Collections and Verifications Branch), Sophie Galarneau (Public Affairs Branch and Chief Privacy Officer), and Harry Gill (Security Branch and Agency Security Officer).

Let's be clear: the Canada Revenue Agency has zero tolerance for fraud, and the protection of Canadian taxpayer information remains one of our highest priorities.

In today’s increasingly digital world, the rise in fraud and identity theft has become a global trend. Internationally, responses to these rising trends include the Joint Chiefs of Global Tax Enforcement (J5) convening a special working group targeting cybercrime. The Agency, representing Canada, is an active member of the J5.

Despite the rigorous security controls already in place, the Agency – like any organization – recognizes that it is not immune to these growing trends and acknowledges the concern that privacy breaches and identity thefts cause among those affected.

The Agency does not publicly discuss tax schemes utilized by bad actors, to avoid inspiring other would be fraudsters from following suit. Nevertheless, it’s important to note that a privacy breach does not necessarily mean that our systems have been compromised or that information has been extracted. In the vast majority of cases we encounter, fraudsters access data external to the Agency, attempting to exploit it by posing as real taxpayers.

That said, the Agency has a multi-layered system of defences to identify, protect, detect, and respond to threats like fraud, identity theft, and tax schemes. And we are successful in protecting hundreds of thousands of fraudulent attempts to gain access to personal and business taxpayer accounts.

To support transparency, we report all material privacy breaches to Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner of Canada. We also report on privacy breaches at the end of each fiscal year in our Annual Report to Parliament on the administration of the Privacy Act.

When fraud is suspected, the Agency takes immediate precautionary measures on the taxpayer’s account, such as locking it to prevent transactions and conducting in-depth reviews with those impacted. Then our Identity Protection Services program takes over. This service is dedicated to both individuals and businesses, where we offer an accessible, high-touch service to the victims affected by identify theft. When appropriate, we provide credit protection and monitors affected accounts to prevent taxpayers from being re-victimized.

In rare cases where fraudulent funds are paid out, the Agency takes every available enforcement action to return the funds to the Crown and hold the offending parties accountable. This includes criminal investigations that could be referred to the RCMP.

Let me be clear: there is no silver bullet to protect against fraud or privacy breaches. That is why the Agency has implemented multi-layered safeguards, including the multi-factor authentication as a mandatory measure. This requires people to enter a one-time password every time they access the Agency’s login services.

The Agency also regularly performs security assessments, such as vulnerability scanning, penetration testing, and security risk assessments on the Agency’s digital services and systems. We regularly conduct routine checks to identify taxpayer credentials that may have been obtained by unauthorized external parties, and we take immediate steps to revoke these IDs to prevent it from being exploited by fraudsters.

Furthermore, we continually invest in security by improving our technologies, processes, and controls to ensure the security of taxpayer information.

As fraudsters' tactics evolve, the Agency adapts and remains vigilant in its efforts to stay one step ahead.

Thank you, Mr. Chair. We will be happy to answer your questions.

Supporting Documentation

House of Commons Order Paper Questions Q-1379 & Q-2954

Q-1379 & Q-2954 (PDF, 8 MB) EN/FR

2023–2024 Annual Report to Parliament on the Administration of the Privacy Act

Annual Report to Parliament on the Administration of the Privacy Act

Information Sheet – CRA Approach to confirmed privacy breaches

The CRA would like to share our approach to handling confirmed privacy breaches. We manage all privacy breaches in accordance with Treasury Board of Canada Secretariat (TBS) privacy policies.

1. As soon as the CRA discovers or suspects an incident involving potentially compromised information, the incident is immediately contained, in that the individual’s account(s) are locked, preventing the possibility of actions being taken on the account by unauthorized individuals and an extensive review is initiated.
2. When a privacy breach is confirmed, a dedicated privacy breach response team assesses the incident to determine if there is a risk of harm to affected individuals and if the breach must be reported to TBS and the Office of the Privacy Commissioner of Canada (OPC), in accordance with the mandatory reporting requirement in the TBS Policy on Privacy Protection.
3. The CRA reports all confirmed material privacy breaches to TBS and the OPC. In certain cases, the CRA may also provide the OPC and TBS with early notification of an incident.
   • A material privacy breach is a privacy breach that could reasonably create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit records and damage to or loss of property.
4. If the CRA determines that a privacy breach creates a risk of harm to an individual, they will be notified, unless circumstances prevent it (for example, no current contact information appears on file). The CRA also protects affected individuals by offering credit protection, when warranted.
5. Once a breach has been contained and assessed, the CRA identifies and implements appropriate mitigation and prevention measures to reduce the risk that a similar privacy breach will occur.

The CRA has dedicated extensive resources to the identification, containment, investigation, and mitigation of privacy breach incidents, and has implemented robust processes and procedures to ensure that such incidents are managed in accordance with policy requirements and that affected individuals are protected and notified as soon as possible.

CRA Statement – CRA has zero tolerance for fraud

CRA has zero tolerance for fraud

Issues Notes

Overall Statement

Key messages:

• The protection of taxpayer information is of the utmost importance for the CRA. At the CRA, we recognize that the confidence and trust Canadians (both individuals and businesses) place in us is essential. It’s the cornerstone of Canada’s voluntary tax system.
• In today’s increasingly digital world, safeguarding sensitive information against constantly evolving threats is critical for every organization. The CRA works continuously to strengthen our defences and stay ahead. As threat actors adapt their practices, so do we.
• The CRA has built a multi-layered approach to security, with robust systems and tools in place to monitor, detect and investigate potential threats, and respond quickly when they occur.
• This starts with personnel screening, employee training and document handling procedures such as markings and email encryption to make sure sensitive information is handled securely. We perform regular risk assessments and internal audits to ensure that internal processes are secure.
• In addition, the CRA has dedicated teams to address issues related to unauthorized access and breaches of taxpayer information, and performs regular risk assessments and audits to ensure its processes are secure.
• We’ve also increased the number of resources dedicated to combat fraud and the unauthorized access, use, and disclosure of taxpayer information, and we continue to invest in security and enhance our technologies, processes and controls.
• In addition to a strong defense, the CRA has implemented proactive measures to protect the personal information of Canadians. These efforts include:
  • Multi-factor authentication: requiring a one-time passcode every time you access the CRA sign-in services.
  • Revoking at risk CRA user IDs and passwords: routine checks to identify CRA user IDs and passwords that may have been compromised. The CRA revokes the identified CRA user IDs and passwords (protecting their account from bad actors using these credentials) and provides impacted individuals with the information they need to regain access to their account.
  • Mandatory email on file: email notifications when changes have been made to their account, including changes to their address and direct deposit information.
  • Identity Protection Services: A single point of contact for individual taxpayers to resolve identity theft concerns.
• Together, these defensive and offensive measures demonstrate the CRA’s commitment to protecting Canadians’ information and maintaining the integrity of its systems.

Unauthorized use of taxpayer information by a third party (UUTP)

Key messages:

• The rise in fraud and identity theft is a global trend. The CRA, like every other government and private sector organization in the world, faces ongoing and persistent threats. Safeguarding sensitive information against constantly evolving threats is critical for every organization, including the CRA. The protection of taxpayer information remains one of our highest priorities.
• Sophisticated criminal elements are attempting new and innovative approaches to bypass existing security measures to access Canadians’ tax accounts, change direct deposit information, produce fraudulent tax information slips and fill fraudulent returns.
• Information from third party breaches (obtained through phishing or external data leaks) can be collected and combined to allow external threat actors to update direct deposit information via a financial institution, file fraudulent paper returns, update fraudulent tax information slips, or impersonate the taxpayer when calling the CRA in the hope of fraudulently obtaining unwarranted credits or benefits.
• Recognizing our robust security controls, the CRA, like many large organizations, are not immune to privacy breaches and fraud, and we recognize the worry and frustration this can cause for those affected.
• We want to reassure Canadians that we are continually enhancing our security measures, technologies, processes and controls to ensure the security of taxpayer information.
• Indeed, the CRA has implemented security measures to protect the personal information of Canadians, including multi-factor authentication throughout CRA login services, and proactively revoking user IDs and passwords that may have been obtained by unauthorized third parties through a variety of external sources.
• We have made strategic investments to proactively detect, report, and address external fraud and the unauthorized use of taxpayer information by a third party (UUTP). These UUTP breaches often involve personal information, in most cases obtained from external sources, used to help bypass existing security measures to access or modify taxpayer information.
• The CRA routinely monitors accounts for suspicious activity to detect, prevent and address potential instances of fraud and identity theft. The CRA combines advanced data analytics and business intelligence gathered from many sources, including law enforcement agencies, financial institutions, and leads to support these efforts. We also continue to collaborate with domestic and international partners to inform our strategy and stop breaches from persisting.
• While we do not discuss threats publicly so as not to compromise our security efforts, we do thoroughly pursue potential fraud and have dedicated teams to promptly address these cases when they arise.
• To preserve the integrity of this tax system, we do not release our playbook. Releasing specific information related to our monitoring strategies could jeopardize our efforts.

Total UUTP breaches reported by CRA to the OPC/TBS by FY*
NOT including complex cases (numbers are recorded via individual and BN UUTP PBRs)

Year	# material breaches	# of affected individuals
2020-2021	1	8,127
2021-2022	7	1,874
2022-2023	28	3,696
2023-2024	72	20,866
2024-2025	34,652	34,705
Total	34,760	69,268

Yearly breakdown of UUTP confirmation

Year	Number of material breaches / affected individuals
2020	2,972
2021	16,167
2022	8,651
2023	3,948
Total	31,738

Protecting taxpayer accounts

Key messages:

• When we suspect an account is the target of an external threat actor, we take swift and immediate precautionary measures on the taxpayer’s account such as locking it to prevent transactions, conducting in depth reviews, and contacting the individuals.
• The CRA formally contacts the affected individuals and provides credit protection, where warranted, at no cost to them.
• Taxpayers who are confirmed victims of identity theft are not held responsible for any money paid out to scammers nor penalties or interest related to fraudulent claims.
• The CRA remains dedicated to resolving these incidents.

Reporting privacy breaches

Key messages:

• The CRA reports all material privacy breaches to Treasury Board of Canada Secretariat (TBS) and the Office of the Privacy Commissioner of Canada (OPC).
• We have now reported all confirmed privacy breaches as per our obligations.
• We are committed to full transparency in addressing privacy breaches, including retroactively reporting all confirmed breaches to the OPC, as noted in the OPC’s February 2024 report.
• In our response to the OPC’s report, we committed to becoming fully compliant with TBS policy and retroactively reporting all confirmed privacy breaches to their office which we have now completed. Recognizing these delays in reporting, the CRA’s top priority has always been to directly notify affected individuals and protect their accounts oftentimes as investigations are underway.
• In addition to the mandatory privacy breach reporting requirements to TBS and the OPC, we report on privacy in our annual reports to Parliament on the administration of the Privacy Act.

Delay in reporting identity theft-related privacy breaches

Key messages:

• In 2020 there was a significant increase in the number of identity theft cases and unauthorized use of taxpayer information by a third-party (UUTP) following the announcement of the COVID-19 emergency benefits. Later that year, the CRA also noticed a marked increase in external data breaches and cyber threats as external threat actors attempted to capitalize on a unique and lucrative set of circumstances.
• At that time, the CRA prioritized protecting accounts, improving security and protection measures and contacting affected taxpayers.
• The delays in reporting these breaches from between March 2020 to December 2023 can be attributed the need to develop a reporting process for these types of privacy breaches, as well as external factors beyond the CRA’s control, such as difficulty in contacting taxpayers to confirm the breach and also taking steps to prevent more Canadians from becoming victims.
• The CRA has been involved in ongoing consultations with TBS and the OPC on the reporting of these types of privacy breaches.
• All confirmed UUTPs from this period have now been reported.

Dollars paid out as a result of identity theft-related fraud

Key messages:

• The CRA can confirm that the following amounts were fraudulently paid out on individual accounts related UUTP. These numbers account for T1 returns and COVID benefits only.
  • 2020: $181M
  • 2021: $5M
  • 2022: $0.4M
  • 2023: $2M
  • 2024: $3M (as of October 4, 2024)
• Given the inherent complexities of this workload and the evolving fraud landscape, it is possible that the previous numbers will change.
• The CRA is working with Public Services and Procurement Canada to recover funds from financial institutions that were issued as a result of UUTPs.

Third Party fraud for 2024 tax season

Key messages:

• To preserve the integrity of the tax system, the CRA does not release specific information related to our monitoring strategies that could jeopardize our efforts. However, we can provide the following general information:
• Taxpayers who claim false expenses, credits or rebates from the government are subject to serious consequences. They are liable not only for corrections to their tax returns and payment of the full amount of tax owing, but also to penalties and interest. They may also face criminal prosecution.
• In general, if a UUTP has been confirmed, the CRA takes necessary actions. This includes contacting the impacted individuals directly to make them aware of the incident, advising them of the measures the CRA is taking to protect their information, and outlining the steps they can take to further protect their account.
• In cases where a privacy breach may result in an immediate risk to the broader Canadian public, the CRA may choose to alert Canadians so that they can protect themselves from possible harm. For instance, in 2020, the CRA issued a general warning about credential stuffing attacks, and strongly encouraged Canadians to avoid reusing passwords. However, the priority is to notify affected individuals.
• The CRA’s continual vigilance combined with reinforcement of individual cyber hygiene habits creates a strong barrier against those seeking to gain from fraudulent activities.
• The CRA will continue enhancing its security and adapting to evolving threats, while being transparent in our reporting and communication to affected taxpayers.

False T4A slips

Key messages:

• To preserve the integrity of the tax system, the CRA does not release specific information related to our monitoring strategies that could jeopardize our efforts.
• Taxpayers who claim false expenses, credits or rebates from the government are subject to serious consequences. They are liable not only for corrections to their tax returns and payment of the full amount of tax owing, but also to penalties and interest. They may also face criminal prosecution.
• While we do not discuss threats publicly so as not to compromise our security efforts, we do thoroughly pursue issues related to potential fraud and have dedicated teams to promptly address these matters when they arise.

Fraud-Prevention Measures

Key messages:

• The CRA has zero tolerance for fraud. The vast majority of Canadians are honest, and the CRA has effective systems in place to manage the small percentage of people who submit fraudulent claims. Canada’s tax system is based on voluntary compliance and self-assessment. The confidence and trust that individuals and businesses have in the CRA are the cornerstones of Canada’s tax system.
• The CRA has robust systems and tools in place to identify, protect, detect, and respond to potential threats, and to neutralize threats when necessary.
• The CRA combines advanced data analytics and business intelligence gathered from many sources, including law enforcement agencies and financial institutions, and leads to support these efforts.
• No organization is immune from fraudulent activity. As soon as fraudulent activity is discovered, the CRA acts quickly and uses every tool at its disposal to stop any further fraudulent activity and recover any money fraudulently or illegally obtained.
• The CRA continues to adjust and improve its security measures in response to an ever-evolving threat environment. As scammers adapt their practices, the CRA has adjusted to introduce new measures and controls to address suspicious activity. Dedicated subject matter experts work diligently to counter the activities of threat actors.
• The CRA takes the abuse of Canada’s tax laws seriously and encourages members of the public to contact the CRA’s Leads Program. The CRA Leads Program gives the public the opportunity to come forward and anonymously report suspected cases of non-compliance with the tax laws administered by the CRA.

Has CRA called law enforcement about the privacy breach reported in the media?

Key messages:

• In order to ensure the integrity of our work and to respect the confidentiality provisions of the Acts we administer, the CRA does not comment on investigations that it may or may not be undertaking.

How does CRA work to stop and prosecute fraudsters?

Key messages:

• As soon as fraudulent activity is discovered within the CRA, the CRA acts quickly and uses every tool at its disposal to stop any further fraudulent activity and recover any money illegally obtained.
• All security incidents are assessed and investigated by the CRA, and where warranted, referred to the CRA’s Criminal Investigations Program (CIP), or the Royal Canadian Mounted Police (RCMP).
• The CRA’s CIP investigates significant cases of tax evasion, tax fraud and other serious violations of the tax laws, and these investigations can include privacy breaches and identity-based crimes.
• When tax fraud involves a privacy breach of personal taxpayer information, the matter can be referred to the CRA’s CIP for criminal investigation.
• Where appropriate, the CIP refers cases to the federal prosecutor, the Public Prosecution Service of Canada (PPSC), for possible criminal prosecution.
• In addition to court imposed fines and/or jail sentences, convicted taxpayers have to pay the full amount of tax owing, plus related interest and any penalties assessed by the CRA.
• While we are unable to provide details regarding specific investigations that we may or may not be undertaking, we can highlight two specific cases that have concluded in the courts (NOTE - All case-specific information above was obtained from the court records) :
  1. Mr. Chun Zhu aka Ted Zhu of Calgary, Alberta pleaded guilty on January 29, 2021, in the Alberta Provincial Court, to one count of fraud over $5,000, and one count of obtaining and using another's identity to commit an indictable offense.
     
     The CRA investigation revealed that, as early as March 2018, Zhu started gathering personal information from individuals who applied on fake job postings he set up. Zhu used the information he gathered from these applications to electronically prepare, print out, and file as many as 317 personal tax returns. These returns claimed unwarranted tax refunds totalling more than $760,000 which he attempted to have deposited into bank accounts controlled by himself.
     
     Zhu was sentenced on October 1, 2021 and given an eight month sentence for fraud and six month sentence for using another's identity to commit an indictable offense. These two sentences are to be serviced concurrently, followed by 18 months of probation.
     
  2. The CRA announced that on June 23, 2022, Georgette Young, Angela MacDonald, Nadia Saker, and Lydia Saker, of Nova Scotia were each sentenced in the Nova Scotia Supreme Court. On February 24, 2022, the three sisters, their mother (Lydia Saker), and their ten companies were found guilty of ten counts of fraud and ten counts of claiming false GST/HST refunds.
     
     Young was sentenced to four years in prison and fined $1,997,601, MacDonald was sentenced to three years in prison and fined $961,186, Nadia Saker was sentenced to three years in prison and fined $493,620 and Lydia Saker was sentenced to two years in prison and fined $335,099.
     
     A CRA investigation revealed that between January 1, 2011, and July 31, 2015, the four women filed false GST/HST returns reporting over $56 million in sales and requesting over $3.6 million in refunds in an attempt to defraud the CRA. The women fabricated false invoices, some of which included over $16 million in marketing and advertising, $6.4 million in cookbooks and food products, $5.5 million in catering and $3.7 million in children's clothing. During this period, the investigation determined that only five of the ten companies had active bank accounts, and the actual business activity of those five companies was in the range of $60,000.
     
     The four women filed Input Tax Credits (ITCs) creating refunds of $3,628,805. Of the $3,628,805 in fraudulent refunds requested, the four women received $275,960, and an additional $81,399 was allocated to amounts owed to the CRA. When the CRA began to audit the filed returns, the four women doubled down on their fraud by supplying fictitious invoices and amending claims in an attempt to hide the massive scale of their fraud.

Background

• It is important to note that there are various types of privacy breaches that occur across Canada, in both the public and private sectors. There is a difference between instances where the CRA experiences a security breach, and when a privacy breach occurs outside of the CRA, and that information is then used to gain unauthorized access to the CRA’s systems through fraud. For example, when a company and/or organization’s confidential credentials are stolen, these criminals then receive the confidential information that is then used to gain unauthorized access into personal and/or business accounts, where they then change personal and/or corporate information (i.e. bank accounts, email addresses, authorized representatives), submit false returns, and receive false refunds.

How does CRA work with global partners to stop fraudsters?

Key messages:

• Countries around the globe are facing a common threat posed by increasingly complex and innovative forms of tax crime. Therefore, the CRA recognizes the importance of strengthening its domestic and international public-private partnerships (PPP).
• For example, the CRA is an active member of the Joint Chiefs of Global Tax Enforcement (J5). The J5 exists to combat tax and other financial crimes that affect the jurisdictions of Australia, Canada, the Netherlands, United Kingdom and the United States. One of the J5’s greatest successes has been the creation of the Global Financial Institutions Partnership (GFIP).
• The GFIP is an international public-private partnerships, seeking to tackle tax fraud and wider associated tax crime by bringing together the J5 Chiefs, and senior leaders in financial crime compliance from major international banks, financial intelligence units, banking representative bodies, and influential senior leaders from wider organizations.
• In the last year, the GFIP has worked together to review and collaborate on various projects, including a typology paper relating to identity theft. The GFIP has helped to strengthen our partnerships both domestically and globally, and closely connected the financial ecosystem of the financial institutions, financial intelligence units and the CRA to thwart further breaches from occurring.
• This ongoing and robust partnership was further solidified when the CRA, as a member of the J5, recently hosted the GFIP Summit in Ottawa, on October 22-23, 2024, and provided even more visibility on key issues, such as identity theft, with our Canadian partners. By continuing to work more closely with the financial sector, the safeguarding of data and funds will be better protected against criminals.
• In addition, in 2019 the CRA joined the International Public Sector Fraud Forum (IPSFF), a group consisting of the Five Eyes countries which coordinates efforts to define, measure, and combat public sector fraud.

CRA's Proactive Approach to Combat Fraud

Key messages:

• The CRA has been upfront with Canadians on the different threat vectors it faces. It has put energy and resources forward to inform Canadians about scams and fraud, and provide information on what they can do to protect themselves.

Web pages:

• The CRA has a dedicated webpage on scams and fraud. It lists the types of scams to watch out for, including identity theft and fraudulent tax returns. It provides Canadians with warning signs of a scam and provides advice.

Proactive communications:

• Social Media: Between October 1, 2023 to October 31st, 2024, 57 (1 post includes French/English equivalents) posts regarding cyber security were made on the CRA’s social media channels.
• The content includes:
  • Tips to keep accounts safe (updating passwords, creating good passwords, monitoring accounts, clearing cache, keeping information up to date, etc.)
  • Regular revocation notifications with instructions on how to regain access to My Account
  • Security measures the CRA has in place (Multifactor authentication, PINs, etc.)
  • General Cybersecurity awareness (phishing scams, spotting threats on social media)

Tax tips:

• Since January 2020, the CRA has issued 23 tax tips, designed to keep Canadians, media outlets, and stakeholders informed about the CRA’s measures to protect taxpayer information.
• These tips also offer practical steps taxpayers can take to enhance the security of their own information.

Taxology Podcast:

• The upcoming episodes 4 and 5 of the podcast will be addressing scams and fraud episode. It will provide listeners with information and tips on how to protect their personal information and identify potential threats.
• The podcast is expected to launch early in the new year (2025).

Advertising initiatives:

Escape rooms

• The escape room is an immersive experience that invites participants to “Spot the scams” as a way of educating them on recognizing common scams involving the Government of Canada name.
• The escape room launched at the end of March 2024 and ran until end of May 2024 visiting shopping malls in Ottawa, Montreal, Dartmouth, Mississauga, and Burnaby.
• A second round ran from September to October 2024 in shopping malls in Moncton, Edmonton, Calgary, Saskatoon, and Winnipeg.
• The escape room received positive local media coverage in each market from a variety of media outlets including CTV, CBC, La Presse, Le Journal de Quebec, Global and CityNews. This also included live TV segments on the morning shows in Edmonton and Winnipeg.

Be scam smart:

• Since 2020, the CRA collaborated with other Government of Canada (departments to lead a multimedia advertising campaign – Be Scam Smart.
• The goal of this campaign was to increase awareness of common scams using the CRA or Government of Canada name. The media used included television, social media (e.g. Facebook, Twitter, YouTube, Snapchat, TikTok), web banners on news sites (i.e. CBC and Radio-Canada) and Search Engine Marketing (SEM).

When and how does the CRA inform Canadians about privacy breaches?

Key messages:

• We understand the importance of transparency. The CRA prioritizes the protection of Canadian's personal information.
• As well, the CRA has demonstrated this transparency by committing to retroactively report all confirmed breaches to the Office of the Privacy Commissioner of Canada (OPC) and Treasury Board of Canada Secretariat (TBS) in its response to the OPC investigation into the 2020 cyber incidents.
• It's important to emphasize that even before a privacy breach is confirmed, the CRA proactively protects taxpayer accounts with suspected suspicious activity.
• After confirming a breach, the CRA contacts the affected individuals directly to make them aware of the incident, advises them of the measures the CRA is taking to protect their information, and outlines the steps they can take to further protect their account.
• In cases where a privacy breach may result in an immediate risk to the broader Canadian public, the CRA may alert Canadians so that they can protect themselves from possible harm.
• Examples of this include:
  • Summer 2020 cyber incidents
  • Locked accounts in February 2021
  • Loss of encrypted CD with details about Yukon residents

Office of the Privacy Commissioner’s investigation

Key messages:

• The CRA acknowledges and welcomes the Office of the Privacy Commissioner’s investigation into privacy breaches at the CRA and thank them for their important work in serving Canadians.
• The CRA is committed to full transparency in addressing privacy breaches, including retroactively reporting all confirmed breaches to the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat.
• While there can sometimes be delays in this reporting, our priority has always been to notify affected individuals directly and protect their accounts as investigations are underway.

CRA's Transaction Data

Key messages:

Individual tax revenue

• In 2023-2024, the CRA administered over $430B in individual tax revenue.
• The CRA processes over 32 million individual tax returns in a year.
• This represents approximately $1.6B in revenues and 124K transactions per business day.
• Over the last tax season, the CRA issued $43B in payments relating to individual tax returns (19M transactions).

Benefits

• In 2023-2024, the CRA issued close to $55B in benefits (federal and provincial) through close to 214M transactions.

CRA's Priorities

Key messages:

• The CRA’s top three business priorities for 2024-25 are to:
  • Deliver seamless client experiences and tailored interactions that are digital first;
  • Combat aggressive tax planning and tax evasion; and
  • Strengthen security and safeguard privacy.
• Our first priority focusses on providing high quality, secure services to Canadians, including contact centre services.
  • The CRA’s major contact centres are focused on the future while continuing to provide the best service possible within a changing environment.
  • Budget 2024 provided $336 million over two years, starting in 2024-25, to maintain call centre resources and improve efficiency.
  • This funding falls short of what would be required to achieve the Service Standard target of answering 65% of calls within 15 minutes.
  • The CRA is implementing a plan to improve access to contact centre service by reducing call volumes, reducing call handle time, and moving to a new telephony platform.
  • The plan focusses on continuing to improve digital services and operational efficiencies, and leveraging advanced technological solutions.
• Our second priority is about compliance, including to combat aggressive tax planning, tax avoidance and tax evasion that allows the wealthiest to avoid paying the taxes that they owe.
  • This is part of the Mandate the Prime Minister gave to the Minister of National Revenue in December 2021.
  • The Government has invested significantly in these efforts, including in the 2020 Fall Economic Statement, Budget 2021 and Budget 2022.
  • The CRA is achieving significant results: as of the end of the 2023-24 fiscal year, it had generated $595 million from the Fall Economic Statement Initiatives, $384 million from the Budget 2021 initiatives, and $358 million from Budget 2022 initiatives.
  • The CRA continues to sharpen its focus on its compliance activities and to improve the use of data, technology and business intelligence to gain operational efficiencies.
• Our third priority is about security. Being the holder of one of the largest repositories of personal and financial information in Canada, the CRA ensures that all information is protected through effective controls.
  • The Government has invested in security at the CRA. Budget 2021 invested $330.6 million over five years and $51.2 million ongoing, in new technologies and tools that match the growing sophistication of cyber threats, and to ensure the CRA’s workforce has the specialized skills to proactively recognize and respond to threats to better safeguard Canadian data.
  • These investments ensure that the CRA limits potential cyber-attacks and decreases the likelihood of data breaches.
  • Furthermore, in 2022, the Canada Revenue Agency created a Security Branch, bringing together security programs to further safeguard the CRA's people, information and assets.
  • The Agency cannot expect zero fraud in the face of motivated and well-resourced adversaries. We follow an internationally-accepted approach of identifying fraud risks, protecting against those risks, and understanding that sometimes fraud risks will materialize. We know fraud exists and it’s important that we detect it; it would be concerning if we found none. Finding it means we can take appropriate action to respond.
• The CRA continues to focus on balancing service and security by using advanced technology, well-informed personnel, and proactive monitoring.

ETHI – Commitee Information

Mandate of the Committee

The Standing Committee on Access to Information, Privacy and Ethics studies and reports on matters referred to it by the House of Commons, or on topics the Committee itself chooses to examine under its mandate. It is a permanent committee established by the Standing Orders of the House of Commons. Bills, departmental activities and spending, and other matters related to the general subject matter of the Committee may be referred to it.

Under Standing Order 108(3)(h), the Committee’s mandate is to study matters related to reports of:

• the Office of the Information Commissioner of Canada
• the Office of the Privacy Commissioner of Canada
• the Office of the Commissioner of Lobbying of Canada
• the Office of the Conflict of Interest and Ethics Commissioner pursuant to the Conflict of Interest Act.

Bio of the Commitee Members

CHAIR – John Brassard (Barrie—Innisfil)

Conservative

Elected as the Member of Barrie—Innisfil in 2015, re-elected in 2019 and 2021

Served on multiple committees in the past, including Scrutiny of Regulations, Veterans Affairs and Procedure and House Affairs

Previously served as Member of the Board of Internal Economy and House leader of the official opposition during the 44^th Parliament and Deputy Whip during the 42^nd and 43^rd Parliaments

Before his election in 2015, Mr. Brassard was a firefighter and city councillor for the Barrie City Council

1^st VICE-CHAIR –Darren Fisher (Dartmouth—Cole Harbour)

Liberal

Elected as the Member of Parliament for Dartmouth-Cole Harbour in 2015 and re-elected in 2019 and again in 2021.

Currently a member of the Standing Committee on National Defense.

He previously served as a member of the Standing Committee on Environment and Sustainable Development, and the Standing Committee on Public Safety and National Security.

In 2009, he was elected to Halifax Regional Council and re-elected in 2012

2^nd VICE-CHAIR – René Villemure (Trois-Rivières)

Bloc Québécois

Elected as the Member for Parliament in 2021 for Trois-Rivières (Québec)

Bloc Critic for Ethics, Privacy and Access to Information

Also serves on the Subcomittee on Agenda and Procedure for ETHI

He is an Executive Member of the Canadian Branch of the Assemblée parlementaire de la Francophie and sits on multiple Parliamentary Associations.

Mr. Villemure is a well-known Ethician in Quebec, often appearing on Quebec news channels in the past for matters related to Ethics

He has a PhD in philosophy from the Université de Sherbrooke.

Michael Barrett (Leeds—Grenville—Thousand Islands and Rideau Lakes)

Conservative

Elected as the Member of Parliament in 2018 for Leeds—Grenville—Thousand Islands and Rideau Lakes, re-elected in 2019 and 2021

Conservative Shadow Minister for Ethics and Accountable Government

Also sits on the Standing committee on Government Operations and Estimates, as well as the Special Joint Committee on Medical Assistance in Dying (Vice-Chair)

Previously served on many committees, including Justice and Human Rights, Health and Procedure and House Affairs

Prior to his election, Mr. Barrett served in the Canadian Army and worked as a human resources manager

Also served as municipal councillor in Edwardsburgh/Cardinal from 2014 to 2018.

Frank Caputo (Kamloops—Thompson—Cariboo)

Conservative

Elected as the Member of Parliament in 2021 for Kamloops—Thompson—Cariboo

Also served on the Public Safety and National Security committee, Justice and Human Rights committee as well as the Veterans Affairs committee

He has served as the Associate Shadow Minister for Justice & Attorney General and the Shadow Minister for Veterans Affairs.

Before his election, Mr. Caputo worked as a worked as a Crown Prosecutor in Kamloops B.C.

He has a Bachelor of Arts from Simon Fraser University and obtained a Bachelor of Laws (with distinction) from the University of Saskatchewan and a Master of Laws from the University of Alberta.

Michael Cooper (St. Albert—Edmonton)

Conservative

Michael Cooper is the Conservative Member of Parliament for St. Albert—Edmonton. First elected in 2015, Michael was re-elected in 2019, and again in 2021.

Michael serves as the Shadow Minister for Democratic Reform.

Michael received a Bachelor of Arts and a Bachelor of Laws, from the University of Alberta.

Serves on ETHI and PROC where he is the vice-chair

Prior to his election, he was the assistant Crown attorney for Brantford.

Served on the Standing committee on Justice and Human Rights.

Also is member of a number of Parliamentary Associations and Interpaliamentary Groups, notably, Canada-Africa Parliamentary Association, Canada-China Legislative Association, Canada-Israel Interparliamentary Group and Canada-United States Inter-Parliamentary Group

Matthew Green (Hamilton Centre)

New Democratic Party

Elected as the Member of Parliament in 2019 for Hamilton Centre (Ontario), re-elected in 2021

Joint Chair of the Special joint Committee on the Declaration of Emergency

Also on the Subcommittee on Agenda and Procedure for ETHI

Previously served on many committees, including Public Accounts, COVID-19 Pandemic and OGGO

Before his election in 2019, he was the first Black Canadian to serve on the Hamilton City Council, from 2014 to 2018. He also worked as an Executive Director for the Hamilton Centre for Civic Inclusion.

Mr. Green has a degree in Political Science from Acadia University. He also attended McMaster University.

Parm Bains (Stevenston–Richmond East)

Liberal

Elected as the Member of Parliament for Stevenston–Richmond East (British Columbia) for the first time in 2021

Also serves on the Standing Committee on Government Operations and Estimates.

Prior to his election, Mr. Bains was an instructor at Kwantlen Polytechnic University. He also worked as a media and public relations officer with the British Columbia provincial government

He has attended the British Columbia Institute Of Technology as well as the Royal Roads University, where he got a Masters degree.

Brenda Shanahan (Châteauguay—Lacolle)

Liberal

TBS-related interests: Timing of the tabling of Public Accounts; Accuracy of the reporting in the Public Accounts; Greening Government.

Elected as MP for Châteauguay—Lacolle in 2015, and re-elected in 2019 & 2021.

Caucus Chair of the Liberal Party

Has served on Public Accounts (2016-2018), as well as Ethics, Government Operations, and MAID committees in the past.

Has served as a member of the National Security and Intelligence Committee of Parliamentarians (NSICOP).

Prior to her election, Ms. Shanahan was a banker and social worker, who has also been involved in a number of organizations such as Amnesty International and the Canadian Federation of University Women.

Iqra Khalid (Mississauga–Erin Mills)

Liberal

Elected as the Member of Parliament in 2015 for Mississauga–Erin Mills (Ontario), re-elected in 2019 and 2021

Currently also serves on the Committee for Scrutiny of Regulations as was all the Subcommittee on Agenda and Procedure for ETHI

She’s on multiple Parliamentary Groups, including Canadian NATO, the Canadian Branch of the Commonwealth and the Canadian Group of the Inter-Parliamentary Union

Before her election in 2015, she worked as a legal professional. She has a degree in criminology and professional writing from York University as well as a Juris Doctor degree from WMU-Cooley.

Ms. Khalid was born in Punjab and immigrated in Canada in 1998

Anthony Housefather (Mount - Royal)

Liberal – Parliamentary Secretary to the President of the Treasury Board

Elected as the Member of Parliament for Mount Royal (Quebec) in 2015 and re-elected in 2019 and 2021.

Sits on the Standing Committee of: Access to Information, Privacy and Ethics and Justice and Human Rights.

He also sits on the executive of the Canada-US Parliamentary Friendship Group and is the Chair of the Canada-Israel Parliamentary Friendship Group as well as the co-Chair of the International Task Force on Online Antisemitism with US Congresswoman Debbie Wasserman-Schultz.

Anthony has two Law Degrees (B.C.L. and LL.B.) from McGill University and an MBA from Concordia University’s John Molson School of Business

Was first elected to office in 1994. He was initially elected as a municipal councillor in Hampstead, then elected in Côte-Saint Luc/Hampstead/Montreal West and served as Mayor of Côte Saint-Luc between 2005 and 2015.

References in Parliament

House of Commons Question Period – October 28, 2024

Mr. Pierre Paul-Hus (Charlesbourg—Haute-Saint-Charles, CPC):

Mr. Speaker, the Office of the Privacy Commissioner of Canada indicated in various reports that there were only 113 privacy breaches within the Canada Revenue Agency between 2020 and 2024. However, now Radio-Canada is reporting that there were more than 31,000 security breaches that directly affected 62,000 Canadian taxpayers. CRA is now saying that it issued payments totalling $190 million in connection with confirmed cases of fraud since 2020. Will the outgoing national revenue minister hand over the file to the RCMP so that Canadians can recover the $190 million in stolen money?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, let me begin by saying that fraud is totally unacceptable and we are taking the necessary measures to address it. It is true that the Canada Revenue Agency is a target of choice because we have a lot of personal information within the agency. Also, we administer very significant payments and tax returns. However, our systems are robust. The CRA has protection procedures for detecting and blocking fraud. Every time fraud is detected, the individual concerned is immediately notified. I can assure the House that we are taking all necessary measures to deal with this situation.

Mr. Adam Chambers (Simcoe North, CPC):

Mr. Speaker, after nine years of the Liberal government, the Prime Minister is not worth the cost. In the latest scandal to hit the Canada Revenue Agency, over 60,000 taxpayers had their personal, private information hacked. Not only is the information of these individuals floating around on the Internet, but this also cost taxpayers money. Over $190 million has been improperly paid to scam artists because of privacy breaches at revenue Canada. Will the minister get information and call in the RCMP about this privacy breach so that taxpayers can be repaid?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, fraud is completely unacceptable. We agree on that. I can assure the House that our government is taking appropriate action. It is true that the Canada Revenue Agency is a prime target because we have a lot of personal information. We also administer a lot of benefits and tax refunds. However, the CRA's systems are solid. We are able to deal with and block attempts at fraud, inform those affected and ensure the necessary follow-up.

House of Commons Question Period – October 31, 2024

Mr. Jean-Denis Garon (Mirabel, BQ):

Mr. Speaker, on this Halloween, the worst house of horrors is here in Ottawa, the Canada Revenue Agency. Fraudsters got $6 million in fraudulent tax refunds. The agency was not even able to realize that different people were being paid in the same bank account. That is not all. There is a smart guy who fudged his tax returns to try to get a $40 million refund. The agency had time to refund him a small amount of $10 million before the guy's bank warned the agency that something was fishy. How many other fraudsters are there with both hands in the cookie jar?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, once again, fraud is completely unacceptable, and I can assure my colleagues that we are taking the necessary measures to deal with the situation. Obviously, with all the personal information it has, the Canada Revenue Agency is a prime target. However, it is not the agency that is directly targeted, but it is often the information that we, as citizens, share through various systems. As individuals, we need to be careful. I want to assure my colleagues that the agency is very vigilant, that we have experts who are very careful and that as soon as a fraud is detected, the account is frozen and the individual is informed.

Mr. Jean-Denis Garon (Mirabel, BQ):

Mr. Speaker, the minister might think this is our fault, but we want to know how many other times the Canada Revenue Agency has been a victim of fraud as a result of a lack of verification, because the CRA has been hiding the real numbers. Since 2020, the CRA has notified the Privacy Commissioner of 113 cases where taxpayers' personal information was used to commit fraud. When questioned by the media, the CRA revealed that it was not 113 cases but more than 31,000 cases. As for the Minister of National Revenue, she is a real ghost. She is refusing interview requests. Is the government not tempted to tell the truth the first time around every once in a while?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, I say what I do, I do what I say and I am not hiding. However, it is important for people to know that the law prohibits the Minister of National Revenue from discussing specific cases. The CRA is very well equipped. We have experts. We are working with all kinds of specialists and with other countries to share best practices. In fact, the J5, the Joint Chiefs of Global Tax Enforcement, were in Ottawa just two weeks ago. I want to assure my colleagues that we have the experts we need and that we are doing what needs to be done.

Mr. Jean-Denis Garon (Mirabel, BQ):

Mr. Speaker, fraud is on the rise at the Canada Revenue Agency because no one is doing the proper checks, including the minister, who has the power to launch investigations. Then there are the cases where the CRA is defrauding itself, as was the case with 330 employees who had to be fired because they approved themselves for CERB, the Canada emergency response benefit. The vampires were running the blood bank. The CRA is haunted with issues of audits, accountability, transparency and leadership. It could use a little exorcism. When is the minister going to clean house?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, once again, the CRA has 60,000 employees. As we went through COVID-19, there were many countries that envied us because Canada and our Liberal government did what it took to help people and businesses. That is why we bounced back so much better than many other countries in the world. Yes, there are 60,000 employees, but everyone who received CERB was individually checked. The CRA does not gift cheques. We have taken the necessary HR measures.

House of Commons Question Period – November 18, 2024

Mr. René Villemure (Trois-Rivières, BQ):

Mr. Speaker, the media recently reported that scammers are taking full advantage of the Canada Revenue Agency's complacency to get their hands on bogus tax refunds. Radio-Canada, however, reports that the CRA has no idea how badly it needs to clean up its act. Instead of tackling fraud and bad practices, the CRA is going on a witch hunt to find out who is talking to reporters. Managers are going so far as to spy on the contents of their employees' computers. Instead of addressing the problem, they are shooting the messengers. Will the minister ask the CRA to go hunt down the scammers, not the whistle-blowers?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, some things need to be called out. In fact, that is why we are supporting a Bloc Québécois bill. If I were to publicly share information subject to the Income Tax Act, I would be liable to seven years in prison. It is serious. Considering that CRA employees also have a professional obligation to protect the integrity of the tax system, it is important to remind them of their obligations.

Mr. René Villemure (Trois-Rivières, BQ):

Mr. Speaker, scammers made off with millions of dollars in bogus refunds because the Canada Revenue Agency did not bother to check before paying out the money. The CRA then communicated with its employees not to ask them to tighten up their auditing processes, but to ask them to stay quiet. CRA leadership thinks that their main problem is not fraud, but the media. What we need is accountability, and accountability begins with protecting whistle-blowers, not scammers. Will the minister address the total lack of ethics at the Canada Revenue Agency?

Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, my colleague is confusing things. There are two very different issues here. I can, however, assure the member that at the CRA, we take this mistake very seriously. We have very professional teams who are working on this. We have different strategies. We are working with the RCMP, with the financial institutions, with our international partners. There are several safety nets to catch them. The CRA is a target of choice, obviously, with the information we have, the benefits we pay out and the credits we process, but I can assure the House that we are still doing good work.

Points of Order

Hon. Marie-Claude Bibeau:

Mr. Speaker, I rise on a point of order to make a correction to an answer I gave earlier during oral question period. If I disclosed information that is protected under the Income Tax Act, I could be sent to prison for 12 months.

House of Commons Question Period – November 19, 2024

Mr. Alain Therrien (La Prairie, BQ):

Mr. Speaker, Radio-Canada obtained documents proving that the Canada Revenue Agency has known for months that, when it comes to fraud, it is about as watertight as a sieve. It has known since November 2023 that scammers were receiving bogus tax refunds. Instead of sounding the alarm, the CRA is covering up the problem. The CRA is hiding it from taxpayers, who have been robbed of more than $100 million this year. It is keeping them in the dark about the fact that 31,000 of them had their personal information stolen. Instead of trying to fix this, it decided to investigate its own employees to silence the whistle-blowers. Will the minister clean house?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, what my colleague is saying is false. We did not hide anything whatsoever. I can assure the House that as soon as a tip comes in about potential fraud, we take the situation very seriously. The people concerned are called immediately. Their account is frozen immediately. Checks are done to identify the fraudsters, and our systems are tightened up accordingly. We duly report all incidents to the Treasury Board, to the Privacy Commissioner and in the public accounts.

Mr. Alain Therrien (La Prairie, BQ):

Mr. Speaker, that is impressive. When it comes to crisis management, the Canada Revenue Agency is an example of what not to do. Here is the CRA approach to not solving a fraud problem. First, cover up the crisis until it makes the news. Second, conceal thefts of personal information from the Privacy Commissioner. Third, hunt down the whistle-blowers, not the scammers. I could not make this up. In short, the CRA directors are more interested in avoiding blame than solving the problem. Their number one priority is to cover their butts. Is the minister going to set them straight on their priorities?

Hon. Marie-Claude Bibeau (Minister of National Revenue, Lib.):

Mr. Speaker, I am willing to do whatever it takes. We are already doing that. My colleague's claims are false. They are completely false. We did not cover up anything. As soon as the system is breached or an attempted fraud is detected, the account is frozen. The affected individuals are notified. We find the scammers and report the incident. Yes, we report the incident in accordance with our procedures. We now provide quarterly reports to the Treasury Board, to the Auditor General and in the public accounts.

Senate Question Period – October 29, 2024

Hon. Donald Neil Plett (Leader of the Opposition):

Senator Gold, yesterday Canadians learned that the Canada Revenue Agency, or CRA, has been massively under-reporting privacy breaches that have paid out millions to scammers. The CRA previously told the Privacy Commissioner that 113 privacy breaches had occurred over the past four years. They now admit the real number is 31,000 — 113 to 31,000 — impacting 62,000 taxpayers. The Canada Revenue Agency, or CRA, also admitted it has authorized $190 million in payments connected to these breaches between 2020 and earlier this month. Leader, this is absolutely not worth the cost. When did the NDP-Liberal government learn that the CRA hasn’t been telling Canadians the truth, and is that $190 million gone for good? Can you confirm that I did not previously give you this question?

Hon. Marc Gold (Government Representative in the Senate):

I can confirm that you have never given me a question in advance, and I would be shocked if you would. That’s not your job. My understanding is that in the current context — and the CBC broke the story — these were breaches not of the CRA, but of H&R Block, if I recall. I’ve been informed that in the event of fraudulent use of personal data, the CRA — the agency — directly contacts the individuals targeted by the fraudsters and carries out close follow-ups to ensure monitoring and security of these accounts. Indeed, the government has been clear that combatting all forms of tax fraud is an important responsibility of the CRA. The CRA is, unfortunately, a prime target for fraud attempts, and the security measures that are put in place are constantly reinforced to counter these attempts. I’ve been informed that processes and procedures are in place to quickly respond and mitigate threats to taxpayer information and taxpayer accounts.

Senator Plett:

We were all equally surprised that the CBC finally did their job. When the Minister of National Revenue was asked about this yesterday in the other place, she said that the CRA’s systems are solid and robust. How can this incompetent government say that with a straight face? Can you say that with a straight face given what we have learned? Leader, has this fraud been referred to the Royal Canadian Mounted Police for investigation? Yes or no?

Senator Gold:

I’m not aware of what steps may have been taken or will be taken with regard to the breach that the CBC reported. Again, it’s important for Canadians to understand this was not a breach of the CRA’s security but rather of the tax advising company whose data was, in fact, breached.

Senate Question Period – October 30, 2024

Hon. Donald Neil Plett (Leader of the Opposition):

Senator Gold, yesterday, I asked you about hackers obtaining millions of dollars from the Canada Revenue Agency, or CRA, through privacy breaches. Today we learned of another scam, Senator Gold. Last summer, a taxpayer falsely changed his T4 slips to claim he was owed $40 million. The CRA started paying him the money. That’s right: It would be funny if it wasn’t so sad. The CRA started paying him the money without verifying his new tax return. They only discovered the scam when a bank alerted the CRA that he was getting an unusual $10-million payment. Is that also funny, Senator Simons? If this guy had been less greedy he would have gotten away with it, and the CRA wouldn’t have found other similar scams. Senator Gold, how can you defend the incompetence, the neglect, the lack of a competent government doing —

Hon. Marc Gold (Government Representative in the Senate):

Thank you for your question. This also gives me an opportunity to correct something that I said yesterday with regard to this issue. When talking about the other breach, I misspoke. H&R Block was the target of the hacking but not responsible for it. I want to go on record and apologize for my error. With regard to your question, this story is an incredible one. I believe it was the Canadian Imperial Bank of Commerce, or CIBC, that flagged the issue to the CRA — and good on them, as we would say. Tax fraud is an important responsibility. The CRA does its best, knowing that it’s a prime target for fraud attempts. Indeed, as I’ve mentioned, it is regularly upgrading its defences and looking out for fraud. With regard to any further comments, I really can’t make them —

Senator Plett:

Where is the accountability? You’ve increased the number of employees at the CRA by two thirds since 2016, yet it doesn’t seem like any of them are rooting out fraud. The minister responsible for the CRA is one of the four Trudeau cabinet ministers with one foot out of the door, so she’s certainly not minding the shop. I doubt if anyone is, Senator Gold. Who’s taking care of Canadian taxpayers?

Senator Gold:

The CRA has an enormous responsibility and an enormous job to do. It certainly had an enormous responsibility during the years of the pandemic. Many of these issues, if my understanding of the reporting is correct, had their origins in that area, but, again, it’s taking steps to enhance its security and doing everything it can to protect itself — and, therefore, Canadians — against fraud.

https://nikiashton.ndp.ca/news/ndp-mp-niki-ashton-calls-parliamentary-study-hacking-cra-taxpayer-accounts - October 28, 2024

Recent House of Commons Order Paper Question:

Q-3149² — October 29, 2024 — Mr. Aboultaif (Edmonton Manning) — With regard to media reports that the CRA discovered hackers had used H&R Block credentials to get unauthorized access into hundreds of Canadians' personal CRA accounts, change direct deposit information, submit false returns and pocket more than $6 million in fraudulent refunds: (a) how many users' accounts were accessed; (b) how many accounts had their direct deposit information changed by hackers in this instance; (c) how many false returns were submitted; (d) how much money was paid out in fraudulent refunds; (e) how much of the fraudulent refund money has since been recovered; and (f) how much of the fraudulent refund money does the CRA (i) expect, (ii) not expect, to recover in the future?

Note: Response due to be tabled in the House of Commons in December 2024.