Cyber-protection agency a victim of fraud
Federal agency caught in wide-ranging overbilling scam
Canada’s premier agency for cyber-security, which helps governments and businesses defend against bad actors, itself got scammed as part of a wide-ranging IT overbilling fraud worth several million dollars.
The Canadian Cyber Security Centre, an arm of the Communications Security Establishment, was defrauded in the amount of $328,881.70, say newly released documents.
Investigators with Public Services and Procurement Canada (PSPC) first revealed the fraud in early 2024, determining that three subcontractors submitted timesheets and claimed remuneration for “work that was not performed.”
The broad investigation involved 36 federal departments and agencies, who were collectively scammed an estimated $5 million. In a news release at the time, Public Services declined to provide details, including which institutions had been fraudulently billed. The then-minister, Jean-Yves Duclos, said the invoicing was done on paper, making detection difficult.
But an internal memo shows that one of the institutions targeted was the Canadian Cyber Security Centre. “Your department was identified as one of the victims in this scheme,” says a document package, obtained under the Access to Information Act. Most of the documents, released three months beyond the legislated deadline, are heavily censored. See here:
Public Services, which was itself hit by the overbilling, has been gathering contract information from affected agencies and departments in order to co-ordinate restitution for all of them. The documents indicate investigators have been chasing down prime contractors for the missing money, rather than the subcontractors themselves, because of rules on recouping federal overpayments.
The Communications Security Establishment reported the fraud case to Parliament late last year, in the Public Accounts of Canada, but did not cite the circumstances. The agency told Parliament it expected to eventually recover the missing money.
A spokesperson for Public Services declined to provide a list of affected departments and agencies, and said the total fraud involving the three contractors now is estimated at about $4.5 million.
“PSPC has put measures in place which has resulted in the completed or ongoing recovery of more than $4 million,” Michele LaRose said in an email.
“Moreover, additional progress has been made through negotiated settlements as a result of a Notice of Action in the Ontario Superior Court of Justice filed by the Department of Justice in February 2025,” she said.
“To protect the integrity of this ongoing work, we cannot comment further at this time.”
The ‘notice of action’ appears to refer to a $1.6-million civil suit launched against an Ottawa-based IT subcontractor and the companies that employed him, as reported by the CBC and the Globe and Mail.
The suit, which names seven companies, alleged the subcontractor submitted timesheets where the total hourly claim exceeded 24 hours a day. LaRose has said the suit involves one of the three cases first announced by the department early last year.
The timesheet fraud is only the latest uncovered by Public Services. In 2021, the department found that a single consultant had overbilled eight agencies and Crown corporations by an estimated $250,000 in 2020 and 2021. The consultant, whose security clearance was revoked, was later charged by RCMP with fraud.
Public Services said last November that the case was among seven it had referred to the RCMP for further investigation.
Last year, Auditor General Karen Hogan released a report on ArriveCan that slammed the government’s burgeoning spending on development of the travel app. Costs ballooned from $80,000 to almost $60 million. Hogan later said she was launching a new audit focused on the two-person IT company that had been chosen prime contractor for the app’s development.
Update May 22, 2025: Another access-to-information request shows that the Canadian Space Agency was also a victim of the same fraud. The agency lost $130,301. The amount was reported in the 2024 Public Accounts of Canada, but with no details. The ATI request makes clear the amount is in fact related to the overbilling fraud.