CRA demands payment on scammed federal benefits — from the victim whose account was hacked

Tax agency's website still vulnerable, 3 years after major security breach, expert says

Image | Justice Mounsey

Caption: Justice Mounsey of Toronto says he's spent countless hours making calls and sending emails trying to prove he's not the one making benefit claims or applying for credit — after his financial information was stolen from the Canada Revenue Agency's website. (Craig Chivers/CBC)

Justice Mounsey is living a financial nightmare, battling a constant onslaught of identity thieves applying for credit cards, loans and more under his name after hackers got hold of his personal information from a government website three years ago.
And as if that's not enough, that same department is forcing the Toronto man to clear his name over and over again.
The personal and financial information of thousands of taxpayers, including their bank account and social insurance numbers ended up in the wrong hands after the Canada Revenue Agency (CRA) and other government service websites were hacked in the spring or summer of 2020.
Since then, fraudsters have tried to access credit and benefits under Mounsey's name at least 18 times.
He's has had to deal with fraudulent credit card and bank account applications, auto-payments to a utility company — and four EI claims plus a CERB claim totalling about $40,000.
The most frustrating part, he says, is dealing with the government's demands that he pay thousands of dollars in taxes and interest, related to those EI claims.
"They just keep asking for more and more money," Mounsey told Go Public. "I'm the victim here. This is their security protocol that failed, but I'm left to pick up all the pieces."
WATCH | Fighting to clear his name:

Media Video | The National : Toronto hacking victim ‘living a financial nightmare’

Caption: Three years after his CRA account was hacked, a Toronto man says he's been forced to clear his own record, despite government promises to help people in his position. He says fraudsters used his social insurance number to get federal benefits, and now he’s on the hook for thousands of dollars.

Open Full Embed in New Tab (external link)Loading external pages may require significantly more data usage.
Mounsey is a part of a class-action lawsuit, certified last year in federal court, that claims "operational failures" by the government allowed hackers to access the information.
The government has not commented on the lawsuit, but has said the cyberattack relied on "credential stuffing"— using stolen IDs and passwords to access other websites and applications — and urged Canadians to avoid reusing passwords. Some saw this as an attempt to blame the leak on its victims.
According to court documents, hackers successfully logged in to at least 48,110 CRA accounts. They then changed the direct deposit banking information on 12,700 taxpayer accounts and fraudulently applied for CERB benefits. Mounsey is one of them.
"At the end of the day, you have a Canadian, who's been victimized by a cyberattack," said Ritesh Kotak, a security analyst and a technology lawyer.
"The fact that an individual has to go, and go through so many different hoops, deal with so many different agencies, and spend hundreds of hours to address this situation is just inappropriate."

Image | CANADA REVENUE AGENCY

Caption: The CRA eventually acknowledged Mounsey's information had been stolen, but nonetheless is demanding he pay taxes and interest related to bogus claims made by fraudsters. (Chris Wattie/Reuters)

Mounsey first learned about the cyberattack in the summer of 2020, through his wife's friend, who had discovered her CRA account had been hacked.
When he logged in, he noticed his direct deposit information had been changed. He signed up for a credit monitoring and fraud alert service and contacted Equifax, TransUnion, the CRA, and the Anti-Fraud Centre, asking for a flag to be put on his accounts.

CRA threatens legal action

It took two and half years before the CRA officially notified Mounsey he was possibly a victim of the hack. By that time, he had been dealing with a flood of fraudulent activity.
A CRA letter dated Oct. 4, 2022, said "an unauthorized individual" had possibly accessed his account and changed his direct deposit information on May 27, 2020. It offered a five-year subscription to TransUnion's online credit alert system. Mounsey says he tried to sign up, but the link didn't work, plus he'd set up a credit fraud detection service himself years earlier.
"When I received that letter [I thought] OK, this is an admission that yes, my account is compromised. So my thought process then is like, 'finally someone understands and I'm not going to be receiving notice that they're looking for money anymore. They want to support me,'" he said.
But the letter didn't say anything about not coming after Mounsey for money and, under the terms and conditions(external link) on its website, the CRA says it's not responsible for damage to taxpayers related to "data security violations."

Image | Ritesh Kotak

Caption: Lawyer and cybersecurity analyst Ritesh Kotak says the government failed to offer the right supports to Canadians caught up in the CRA's website hack (Keith Whelan/CBC)

Mounsey's optimism that he'd finally get help from the government quickly faded. In March 2023, the CRA sent another letter, demanding he pay $6,018.97 or face possible legal action for taxes and interest charges related to those fraudulent EI claims.
"I was very upset… I think I've received maybe four different notices stating, 'Hey, you've got to give us money… and if you don't pay us in the next few months, we're going to start garnishing your wages.'
"The same organization was talking to me out of two sides in their mouth." Mounsey said.
For months he's been trying to clear that up — bouncing between the CRA and Service Canada, working to get the paperwork one department wants to the other.
But instead of working with him, Mounsey says the departments are making things harder. At one point, he says CRA closed his file because Service Canada took too long to cancel a tax slip.
He had to start the process over again. All this despite Service Canada having acknowledged, in a letter sent late April, that fraudsters may have used Mounsey's personal information to submit those EI applications.

Image | Justice Mounsey

Caption: Mounsey shows the mountain of paperwork he's accumulated over the past three years dealing with fraudsters and the government. (Craig Chivers/CBC)

Go Public asked both departments why they didn't work together to resolve Mounsey's issues. Service Canada responded, saying it and CRA are "two separate entities with different capabilities and responsibilities."
"Service Canada works closely with claimants to resolve these issues related to fraudulent EI applications as quickly as possible," it said in an email.
The CRA tells Go Public it can't comment on specific taxpayer situations because of confidentiality rules under the Income Tax Act.
Generally, it says in "cases of a confirmed identity theft incident, the CRA will ensure that proper protection and corrective actions are taken thereby returning the taxpayer to a seamless interaction with the CRA."
But Kotak, the security expert, says Mounsey's interaction has been anything but seamless.
"I deal with these victims all the time and it's heartbreaking," he said. "The toothpaste is out of the tube and to put it back is just not possible. Once your information has been compromised it is very hard to make somebody whole... it's very difficult, in some cases even impossible."

'Confidence and security'

The CRA says it has improved security on its website since the hacks, including adding mandatory multi-factor authentication and proactively revoking user IDs and passwords that may have been stolen elsewhere. "Canadians can use the CRA's online services with confidence and safety," it says.
But Tanya Janca, CEO and founder of the cybersecurity company We Hack Purple, says the site still lacks some basic security measures.

Image | Tanya Janca

Caption: Cybersecurity expert Tanya Janca says the CRA’s site still lacks basic protections and worries taxpayers’ data could be at risk. (Google Meet)

For one, she says, it doesn't have security headers — a feature that configures users' browsers to use defence settings while on the website — and which are required under the federal government's security policy.
When Go Public asked about the lack of headers, the CRA didn't respond.
She's also concerned about the site's terms and conditions, saying the federal department is waiving responsibility if accounts get hacked, since taxpayers don't have a choice about sharing their sensitive information with the agency.
Those terms and conditions say there is a "remote possibility of data security violations," and that the CRA is "not responsible for any damages you may experience as a result."
The CRA told Go Public that disclaimer "ensures that taxpayers understand their role in protecting their private information," adding such disclaimers are commonly found on all kinds of banking and government websites.

What's next?

Almost three years after the cyberattack, Mounsey says his credit is messed up, and he worries about what he'll have to deal with next.
"[I need to do] everything that I can do to make sure that they're not taking more money from me and to clear my name because no one else seems to be helping," he said.
"I've worked with so many different people to try to rectify this, but I get different messaging from each organization … It would be great if they would talk to each other instead of putting all the onus on me… It's really been a nightmare."
He's now working with Service Canada to get a new social insurance number, but says he's not sure how much that will help since he's still responsible for anything that happens with the old one.

Submit your story ideas

Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact GoPublic@cbc.ca(external link) with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Read more stories by Go Public.(external link)