What Canada's Recent CRA Cyber Incident Means For You

A recent cybersecurity incident involving taxpayer contact information was disclosed by the Federal Government. Individuals and businesses should remain alert and follow established cybersecurity best practices.

What happened?

OnSeptember 9, 2025, the Federal Governmentreleased a statement regarding adata security incidentinvolvingnon-sensitive personal information. Specifically:

• Phone numbers linked to certainCanada Revenue Agency (CRA)andEmployment and Social Development Canada (ESDC)accounts, and
• Email addresses associated withCanada Border Services Agency (CBSA)accounts

were accessed during a window of exposure (August 3 to August 15, 2025) caused by a software update vulnerability.

Importantly, there isno evidencethat sensitive personal data (such as financial information or identification numbers) was accessed or disclosed.No immediate action is requiredunless you have been directly notified that your information was affected.

Whatyoushould watch out for

Even though this incident does not appear to represent a major breach, there is potential for misuse of exposed phone numbers and email addresses. Scammers often use that kind of data to launch phishing, smishing (text message scams), impersonation or spoofing attacks.

Here's what you (and your team) should do:

1. Be extra wary of unexpected or unusual messages
2. Use complex, unique passwords
3. Enable Multi-Factor Authentication (MFA)wherever possible
4. Monitor your accounts for suspicious activity

How we can help

While this incident was limited and no sensitive data appears to have been accessed, it serves as a reminder that vigilance is key. Ensure your passwords are strong and unique, enable MFA on important accounts, and always verify communications before taking action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.