“My online tax account was hacked, turning my life upside down. Now, I’m suing the CRA”
Stephen Real is one of thousands of Canadians affected by a massive security breach in 2020. Three years later, he can’t pay his taxes, fraudsters are attempting to buy cars in his name and he fields more than 20 spam calls a day
In late July 2020, Canada’s tax collectors got hacked—an unknown attacker managed to log in to thousands of online accounts using usernames and passwords stolen elsewhere on the web. They hit the jackpot: social insurance numbers, phone numbers, addresses, banking information—everything needed to assume someone else’s identity, commit fraud in their name and get quick access to CERB cash. Now, some of the victims are suing the federal government in a class action lawsuit, alleging that a glitch in the Canada Revenue Agency’s system let the hackers bypass users’ security questions—no mother’s maiden name required. While the CRA originally said that only 5,600 accounts were affected by the breach, the lawsuit alleges that the real number could be over 26,000. Here, one of the plaintiffs, Stephen Real, a 66-year-old resident of Don Mills West and former IT security consultant, tells us about enduring years of stolen-identity mayhem.
My nightmare started three years ago, in the wee hours of the morning. It was 4:03 a.m. on the Sunday of the August long weekend in 2020 when my phone buzzed on my bedside table. It was a special ring I had set up for important emails. This one was from the CRA—my direct deposit information had been changed. I hadn’t done that. Something weird was going on.
I called the CRA right away, but of course no one was working. So I logged in to my CRA account to try to figure out what was happening. Right off the bat, I found that the deposit information for one of my three accounts had been changed from my bank, CIBC, to BMO, a bank I’ve never used. I started taking screenshots.
Confused, I went to another part of the online portal and found a notice saying that I had applied for CERB. That was impossible: I had just retired and was receiving the last of my unemployment insurance, so I wasn’t eligible. Besides, I’d never applied. Within an hour, my other two accounts were linked to BMO branches in Mississauga. I took more screenshots. Someone had hacked my account, and now I had proof.
I spent the rest of the weekend calling the CRA, leaving messages saying, “Hey, I’m being hacked!” When I finally got in touch on Tuesday morning, they brushed it off, saying that someone would call me back. It took until Thursday for them to lock my account and tell me to call Equifax, the Toronto police’s financial crimes unit and the RCMP—anything I could do to protect myself.
Meanwhile, I decided to go investigate on my own. I visited the Mississauga BMO branches where, apparently, I had bank accounts. I figured I’d say, “Hey, I lost my bank card” and go from there, but as soon as I gave my ID to the woman at the front desk, she said, “Oh, I have to get the manager.” A minute later, he came out and said, “We have to ask you to leave—we’re not allowed to discuss this matter.” They gave me a phone number for their head office and told me to report the fraud. That was it. I was on my own again.
It got weirder. My hackers had applied for two CERB payments by direct deposit, fraudulently landing $4,000 in the accounts they’d created in my name, but their third $2,000 request was caught by the CRA before it could be paid. For some inexplicable reason, the system defaulted to mailing it to me instead. A week after the hack, I found myself holding a CERB cheque I’d never applied for. Once again, I called the CRA, and suddenly they were questioning me: “How did you get that cheque?” I felt as if they were accusing me of being the fraudster.
After that, three different CRA employees called me, all saying different things. One said I had to send the cheque back to the CRA’s headquarters in Quebec, so I did that via registered mail. I know from my tracking that it arrived and was signed for, but even now, three years later, the CRA is still asking me where it ended up.
In mid-August of 2020, the media started reporting on the hack, and the CRA admitted that it had been caused by a vulnerability in the agency’s security software. It said that about 5,600 accounts could have been compromised. But, when I got in touch with the Toronto police, they said their fraud unit had received over 2,000 calls in two days from Toronto alone. It seemed like there had to be more victims than the CRA was claiming.
A month later, in September 2020, I got a call from an Acura dealership. The woman on the phone asked me what vehicle I currently drove. When I asked why, she was surprised—hadn’t I just been in their Woodbridge location, looking to buy a 2020 Acura? I answered no, and she caught on. She told me that I should report a fraud.
That wouldn’t be the last time. About a year later, someone tried to buy a $65,000 Lexus under my name. Since the hack, I’ve had Equifax place a block on my account, so I’m not sure how many other purchases have been attempted. Every time I buy something major, I have to call and tell them myself.
For six months, the CRA stopped corresponding with me via email entirely. Eventually, they began sending me pro forma notes telling me to keep changing my password and monitoring my credit history. It’s incredible—their system failed, and it’s like they’re blaming me for having bad security.
These days, my phone is constantly ringing with spam calls. I get about 20 of them per day, usually at dinner time, saying they’re from the CRA or Visa and need the security key for my credit card. They’ll start off professional, but I’ve started saying I’m from the CRA myself. At that point, they’ll swear and hang up. I know what’s going on: the hackers got my number from the CRA, and now they’ve sold it to spammers.
One June 1 of this year, I got a phone call from a woman working for the CRA out of Vancouver. She was on her cellphone, at home. She said she had to see photo ID to verify my identity, but it was her first week on the job and she didn’t have access to the CRA’s internal system yet. All she could find was my passport. I asked if we could do a Zoom call so she could see my face. She refused, because that went against policy. She asked if I could fax her photos of my other ID. I refused, because that was ridiculous. Who has a fax machine?
Eventually, she found my Nexus card on file and we got to the meat of the call. Apparently, my case had been moved between four or five different inspectors over the past two years, who kept giving up and leaving before they could solve it. She said that the CRA is looking into unlocking my account so I can pay my taxes from last year, but that apart from that, there was nothing they could do.
At this point, I’m not sure if they’re doing anything. From day one, I’ve been asking for someone to give me a full account of what happened, but it never comes. I’ve worked in IT security for 50 years—I don’t think they’re giving us the full story. They’d rather blame us taxpayers for not changing our passwords.
In October of 2022, I signed on to a class action lawsuit against the government of Canada, alleging that the Crown was negligent in protecting our online information. Hopefully, it will result in compensation for all the hardship I’ve experienced—and make the government take accountability for this mess.
I’ve lost a huge amount of confidence in the government. The IT implementation is so poorly done—first it was the hack that compromised my information, then the glitchy ArriveCAN app, and then just this week the Nova Scotia government was infiltrated, revealing the social insurance numbers of 100,000 people. Multiple levels of government have shown themselves to be technologically incompetent, and the CRA is just one example.
With the exception of the woman who called me from her home, I’ve heard nothing from the CRA. When I call, they don’t answer. At least in the old days, they’d keep me updated or send me mail. Now, I get nothing.
I want an apology. I want my taxes cleaned up. And I need a new ID. Until I get one, I’m just going to keep getting hacked again and again.
In a statement to Toronto Life, the CRA said it could not comment on this story due to privacy concerns and the ongoing lawsuit. It added that the protection of taxpayer information is of the upmost importance and that it works with affected individuals to take swift protective action upon becoming aware of potential incidents of identity theft or account breach.