CRA demands payment on scammed federal benefits — from the victim whose account was hacked

Justice Mounsey is living a financial nightmare, battling a constant onslaught of identity thieves applying for credit cards, loans and more under his name after hackers got hold of his personal information from a government website three years ago.

And as if that's not enough, that same department is forcing the Toronto man to clear his name over and over again. 

The personal and financial information of thousands of taxpayers, including their bank account and social insurance numbers ended up in the wrong hands after the Canada Revenue Agency (CRA) and other government service websites were hacked in the spring or summer of 2020.

Since then, fraudsters have tried to access credit and benefits under Mounsey's name at least 18 times. 

He's has had to deal with fraudulent credit card and bank account applications, auto-payments to a utility company —  and four EI claims plus a CERB claim totalling about $40,000. 

The most frustrating part, he says, is dealing with the government's demands that he pay thousands of dollars in taxes and interest, related to those EI claims. 

"They just keep asking for more and more money," Mounsey told Go Public. "I'm the victim here. This is their security protocol that failed, but I'm left to pick up all the pieces."

WATCH | Fighting to clear his name:

Mounsey is a part of a class-action lawsuit, certified last year in federal court, that claims "operational failures" by the government allowed hackers to access the information.

The government has not commented on the lawsuit, but has said the cyberattack relied on "credential stuffing"— using stolen IDs and passwords to access other websites and applications — and urged Canadians to avoid reusing passwords. Some saw this as an attempt to blame the leak on its victims. 

According to court documents, hackers successfully logged in to at least 48,110 CRA accounts. They then changed the direct deposit banking information on 12,700 taxpayer accounts and fraudulently applied for CERB benefits. Mounsey is one of them.

"At the end of the day, you have a Canadian, who's been victimized by a cyberattack," said Ritesh Kotak, a security analyst and a technology lawyer.

"The fact that an individual has to go, and go through so many different hoops, deal with so many different agencies, and spend hundreds of hours to address this situation is just inappropriate."

Mounsey first learned about the cyberattack in the summer of 2020, through his wife's friend, who had discovered her CRA account had been hacked.