H&R Block Tightens Security

After several years of controversy involving H&R Block that compromised Canadian taxpayer data, the company has started emphasizing security more heavily in its advertising. They now highlight several measures meant to reassure clients that their information is protected.

They list the following:

🔐 Mandatory Multi-Factor Authentication
🛡️ 24/7/365 cyber defense monitoring
✉️ Advanced email protection & encryption
🎓 Cybersecurity-certified Tax Experts
📁 Secure document handling + storage

Let’s go through each of these.

Mandatory Multi-Factor Authentication

Many workplaces already use multi-factor authentication (MFA) to protect systems that have nothing to do with tax data. At this point, it is essentially a baseline security standard.

MFA can help prevent remote attackers from logging in with stolen passwords. If someone obtains a username and password, the additional authentication step may stop them from accessing the system.

However, MFA is not a complete solution. If attackers gain access to the actual laptop or workstation used for filing returns, the protection becomes far less effective. Malware on a computer could also allow attackers to operate within an already authenticated session, limiting the protection MFA provides.

It also offers little protection against insider threats. For example, a new employee who legitimately has system access would still be able to log in and use the system.

24/7/365 Cyber Defense Monitoring

This phrase is much more vague and sounds largely like marketing language. Nearly all modern computer systems already include some form of security monitoring, so the statement likely refers to something beyond basic protections.

Monitoring systems may detect suspicious behavior such as unusual refund amounts or abnormal activity patterns. In theory, that could trigger alerts.

But attackers often adapt. If certain actions trigger alerts, they may simply conduct fraud more slowly or carefully to avoid detection. Another possibility is overwhelming monitoring systems with activity until analysts experience alert fatigue and some fraudulent claims slip through unnoticed.

There is also the question of infrastructure. Many H&R Block locations operate as franchises, meaning they use localized offices and equipment. This can introduce variations in how systems are managed and potentially create gaps in oversight.

Ultimately, if attackers are using legitimate credentials, the activity may appear normal to monitoring systems. Unless strong fraud analytics are in place to detect unusual patterns, the system may allow those filings to proceed.

Advanced Email Protection & Encryption

This is another phrase that leans heavily on marketing language. Today, most email systems already use encryption automatically when messages are transmitted between servers. In other words, some level of email encryption is already standard.

Companies can go further by using more sophisticated protections, such as filtering systems that detect suspicious links, fake login pages, or malicious attachments. But technology alone is not foolproof. A major question is whether staff are adequately trained to recognize phishing attempts and social engineering attacks. Even experienced professionals occasionally fall for well-crafted scams.

Cybersecurity-Certified Tax Experts

This leads to the next claim: that their tax experts are “cybersecurity-certified.”

The key phrase here is tax experts. This is a company-defined title rather than a regulated professional designation. These roles are not necessarily filled by licensed accountants.

According to hiring requirements listed by H&R Block, the basic qualifications include:

• A high school diploma or GED
• Completion of the H&R Block Income Tax Course
• Customer service skills such as empathy, efficiency, and clear communication

In other words, the entry barrier is relatively low compared with regulated accounting professions.

The cybersecurity certification claim is also difficult to evaluate because the term itself is broad. There are thousands of cybersecurity courses available. Some require hundreds of hours of training and lead to well-recognized industry certifications. Others may involve only a short internal security awareness course.

Without more detail, the phrase “cybersecurity-certified” could mean anything from extensive professional training to a brief internal course.

If the company wanted to strengthen this claim, they could reference independent security audits or recognized security standards. Those kinds of disclosures would provide more concrete evidence of strong security practices.

Secure Document Handling + Storage

Finally, the company states that it uses “secure document handling and storage.”

But this is essentially the minimum expectation for any organization that handles sensitive financial information. Saying documents are securely handled is somewhat like saying they are stored safely. It is reassuring to hear, but it does not provide much insight into what specific protections are actually in place.

Conclusion

For people who do not file their own taxes—often because they are uncomfortable with technology, unfamiliar with the tax system, or worried about making a mistake—this kind of messaging from H&R Block can sound reassuring. Security features listed in simple bullet points create the impression that strong protections are in place.

However, when examined more closely, most of these claims describe baseline practices rather than new or exceptional safeguards. Multi-factor authentication, employee security training, and secure document storage are standard expectations for organizations that handle sensitive financial data.

It is also worth remembering that many of these types of protections likely existed before previous incidents involving compromised taxpayer information. Security measures on paper do not automatically prevent fraud or credential misuse in practice.

Another point of contention is accountability. H&R Block has previously stated that its core systems were not breached, suggesting that stolen credentials or external compromises may have been responsible. While that distinction may be technically important, it does little to reassure affected taxpayers whose information was still exposed or misused.

Ultimately, when Canadians hand over their tax data to a private company, they are trusting that organization with some of the most sensitive information they possess. While breaches can occur in any large system—including government systems such as those run by the Canada Revenue Agency—private companies handling large volumes of personal financial data also present attractive targets for fraud and identity theft.

Reports from the Office of the Privacy Commissioner show that hundreds of private-sector organizations report data breaches each year, affecting tens of millions of Canadian accounts. While federal agencies like the CRA also experience privacy breaches, many government incidents involve administrative errors rather than large-scale cyberattacks. 

For taxpayers, the key takeaway is that security marketing claims should be viewed critically. Bullet points about cybersecurity may sound impressive, but they do not necessarily reveal how well a system actually protects the people whose data is entrusted to it.