Canada Privacy Watchdog Reports Over 42,000 CRA Account Breaches

Canada's privacy watchdog reports that more than 42,000 Canada Revenue Agency tax accounts have been breached since 2020 ^[1].

These breaches expose significant vulnerabilities in the federal government's ability to protect sensitive financial data from cybercriminals. The scale of the compromises suggests that systemic security gaps have left thousands of citizens vulnerable to identity theft and fraud.

In a report released May 9, 2026, the Office of the Privacy Commissioner of Canada detailed failures in prevention and detection ^[2]. The watchdog said the Canada Revenue Agency suffered from a delayed rollout of multi-factor authentication, a critical security layer that requires users to provide two or more verification factors to gain access to a resource.

Security gaps also included weak phone-based verification processes ^[3]. The commissioner said these deficiencies allowed cybercriminals to use stolen credentials to gain unauthorized access to tax accounts ^[3]. While some reports suggest the number of breaches is closer to 45,000 ^[4], the official report emphasizes the urgent need for an overhaul of the agency's cyber-defences.

The commissioner said the agency must address these gaps to prevent further unauthorized access. The report highlights that the persistence of these vulnerabilities over several years has compromised the integrity of the tax system's digital infrastructure ^[2].

To mitigate future risks, the watchdog is urging the agency to accelerate the implementation of modern security protocols. This includes strengthening the verification process for phone-based inquiries, and ensuring multi-factor authentication is fully deployed across all user touchpoints ^[3].