TORONTO -- Following the Canada Revenue Agencyâs admission over the weekend that thousands of Canadiansâ accounts had been compromised in a series of recent cyberattacks, several victims say they notified the CRA about the hacks weeks â and even months â earlier.
According to the CRA, hackers accessed the accounts of 5,500 Canadians using stolen usernames and passwords in three separate cyber security incidents. Government officials said they first learned of the security issues on Aug. 7 and contacted the RCMP to investigate on Aug. 11.
However, Linda Bradford said she alerted the CRA about a breach in her account months earlier, all the way back in May.
She said she first spoke with a CRA representative on May 8 to tell them her account information had been changed without her consent. The bank account to which her Canadian Emergency Response Benefit (CERB) payments were deposited had been switched to a new one at Tangerine Bank, which she had not opened.
Bradford said the CRA agents she spoke with didnât know what had happened to her account and opened an investigation with Tangerine Bank. Since then, she said she has spoken with approximately seven CRA representatives to have her CERB payments reinstated.
âIt was just insane,â she told CTVNews.ca during a telephone interview on Tuesday. âI cannot tell you how many hours I spent on the phone.â
Bradford, who has run a bed and breakfast for 19 years with her husband in Owen Sound, Ont., has been collecting CERB since the pandemic began. She said they havenât reopened and still rely on CERB because theyâre both in their seventies and her husband is immunocompromised.
The business owner said she became angry when she learned that government officials were telling the public they only became of aware of the cyberattacks in early August.
âMy reaction was âYou liars. You knew,ââ she recalled. âI probably wasnât the first person to call and I called May 8.â
Another victim of a cyberattack, Sara â who did not want her full name used because she works for another department of the federal government â said she also notified the CRA about her account long before Aug. 7.
Itâs unclear whether the hacks involving Sara and Bradfordâs accounts are related to the larger security incidents recently announced by the CRA.
The agency says it has noticed an increase in scams in the âpast few years,â and during the pandemic thereâs been a focus on CERB payments -- unconnected to the cyberattacks.
âFraudulent activity on taxpayersâ CRA accounts prior to August 7 may not be related to these recent cyber security incidents,â a CRA spokesperson told CTVNews.ca in an emailed statement.
âThese recent cyber security incidents are a deliberate and systematic attack on the CRA systems, but smaller, targeted scams on individual taxpayers also occur. External breaches have provided personal information such as names, SIN, date of birth, address, and other financial/tax information. Information from these breaches can be collected and combined to allow someone to impersonate someone online, over the phone, open bank accounts, etc.â
Sara said she realized her account had been compromised when she received an email on July 16 informing her that her email address had been removed from her CRA profile. When she went to investigate the next day, Sara said she discovered her account information had been updated and a new TD Bank account had been added without her knowledge.
Sara said she called the CRA that day and learned that someone had applied for CERB in her name and the payment was in the process of being delivered to the account with TD Bank. She said she was told that a resource officer would call her back 24 hours later.
When she didnât hear back from the CRA after a few days, Sara said she called them again on July 21. Since then, she has learned that CERB payments had been made from her account and it has been disabled.
Sara said sheâs been frustrated by the lack of communication from the CRA and the fact that they said they only learned about the breaches on Aug. 7.
âEven if I was the first to have called, [the breach to my account was] pretty substantial, and to think that nothing was locked down until the seventh of August...â she said. âI would have hoped that somebody would have looked into it and did what they needed to do to lock down the access.â
Rick Pantridge, from Whitby, Ont., said he went through a similar situation as Sara and Bradford when he was unexpectedly notified by the CRA that the banking information on the account had been changed on July 31. He said he also received another email alerting him that his application for CERB had been approved â even though he never applied for one.
The 64-year-old said when he followed up with a CRA agent later that morning, she told him he was the third caller she had spoken to that day with a similar problem. He said she was also unable to reassure him that his SIN had been protected in the cyberattack.
Pantridge said his CRA account was locked down and he was told he would receive a call from another agent in 24 hours. Like Sara, he never received one.
âI have never heard from them. I've tried to call, but the wait times are insane,â he told CTVNews.ca during a telephone interview on Wednesday.
Pantridge said he was âtickedâ when he read that the CRA said they only just found out about the breaches and that reusing passwords was to blame for the hacks.
âThey kind of implied that because you use your password over multiple platforms, which I pretty much promise you 100 per cent of the population does, itâs your fault,â he said. âYou're the CRA, you should be the toughest organization to crack cyber-wise.â
All of the victims CTVNews.ca spoke with said they have been on pins and needles as they closely monitor their bank accounts to see if anyone has applied for a loan or a credit card in their names.
âNo one has tried anything yet, but you donât know,â Bradford said. âIâm a pretty innocent, honest person here. I don't think like a criminal. So I don't know all the things they could do with my SIN [social insurance number].â
âIt's just so unnerving that somebody else has all this information,â Sara said. âThey know my child's name, they know my child's date of birth, they know where I live⌠I feel so violated.â