Stick to the Facts
Add Nbsla.ca as a Preferred Source on Google to see more of our stories in your search results.
A major $8.7 million class action settlement involving the Government of Canada has officially been approved, raising an important question for thousands of Canadians: can you receive compensation?
The case centers on a significant privacy breach involving online government accounts, including Canada Revenue Agency (CRA) services, Service Canada accounts, and other platforms accessed through GCKey. Between March and December 2020, cybercriminals exploited vulnerabilities in government login systems using credential stuffing attacks, leading to unauthorized access to sensitive personal and financial data.
While thousands of individuals were affected, only a specific group within the broader class will be eligible for financial compensation under the settlement terms. Understanding whether you qualify requires knowing exactly what happened, how the breach occurred, and how eligibility is determined.
This article breaks down the lawsuit, the settlement details, who qualifies, how the breach unfolded, and what steps affected individuals can take next.
What Is the Government of Canada Class Action Lawsuit About?
The class action lawsuit against the Government of Canada relates to a series of cyberattacks known as credential stuffing attacks. These incidents took place over a period stretching from March 1, 2020, to December 31, 2020.
Credential stuffing is a type of cyberattack where hackers use stolen usernames and passwords from previous data breaches to try logging into unrelated accounts. Since many people reuse the same login credentials across multiple services, attackers can gain access when systems lack sufficient safeguards.
Allegations in the Case
The lawsuit alleged that inadequate security protections in certain Government of Canada online systems allowed unauthorized third parties to access confidential user information. These systems included:
CRA My Account
My Service Canada Account
Other government services accessed using GCKey
The claim argues that stronger safeguards could have prevented or reduced the scale of the breaches.
How the Data Breach Happened
The cyberattacks targeted government login systems during a time when many Canadians were relying heavily on online services, especially during the COVID-19 pandemic.
Hackers used automated tools to test stolen username and password combinations across government platforms. When users had reused credentials from other compromised websites, attackers were able to break into their accounts.
Once inside, they could view sensitive information and, in some cases, make unauthorized changes.
Scope of the Impact
The breach affected a significant number of accounts across multiple government platforms.
CRA Accounts Compromised
At least 48,110 CRA online accounts were impacted during the attacks.
Out of these:
26,250 accounts were successfully logged into by unauthorized users
13,550 accounts were partially accessed, where attackers viewed personal information but did not proceed further
12,700 accounts experienced more severe breaches, where direct deposit banking information was changed and fraudulent applications for CERB benefits were made
These figures highlight the varying levels of access achieved by attackers, from simple viewing of account dashboards to active financial manipulation.
GCKey and Service Canada Accounts
The breach also extended beyond CRA systems.
5,957 GCKey accounts were potentially impacted
3,200 compromised My Service Canada Accounts were used to access CRA accounts
Around 1,200 of those linked accounts were used to apply fraudulently for COVID-19 emergency benefits such as CERB
The interconnected nature of government login systems meant that once one account was compromised, attackers could potentially move between services.
What Is the Settlement?
On May 5, 2026, a federal court approved a settlement agreement in the class action lawsuit. The total compensation fund is valued at $8,760,500.90.
This settlement is intended to compensate eligible individuals whose personal or financial information was accessed or misused as a result of the cyberattacks.
Government Position
Although the settlement has been approved, the Government of Canada has not admitted any wrongdoing. The settlement is a legal resolution designed to avoid further litigation and provide compensation to affected individuals under agreed terms.
Who Is Included in the Class Action?
The class definition is broad, but eligibility for payment is narrower.
General Class Membership
You may be considered part of the class if your personal or financial information stored in a Government of Canada online account was accessed or disclosed without authorization between March 1, 2020, and December 31, 2020.
This includes users of:
CRA My Account
My Service Canada Account
Other GCKey-enabled government services
Being part of the class means you are recognized as someone potentially affected by the breach period, even if your account was not deeply compromised.
Who Is Eligible for Compensation?
Not all class members will receive a payment. The settlement applies stricter criteria for compensation eligibility.
Compensation Eligibility Requirements
To qualify for financial compensation, individuals must meet all of the following conditions:
They must have been affected by unauthorized access between June 15, 2020, and August 30, 2020
Their personal information must have been accessed or used in a fraudulent manner
There must be evidence of misuse, such as changes to account information or fraudulent benefit applications
This narrower window reflects the period during which the most serious fraudulent activity occurred.
What Counts as Fraudulent Use
Fraudulent use may include:
Changes to direct deposit banking details
Unauthorized applications for COVID-19 relief programs such as CERB
Use of personal tax or identity information to access other government services
Accounts where only login attempts or minimal viewing occurred may not qualify for compensation.
How You Can Check If You Are Eligible
Many affected individuals were contacted directly.
Email Notifications from the Claims Administrator
If you received an email from KPMG, the appointed claims administrator for this settlement, it may indicate that you are eligible to submit a claim.
The notification typically includes instructions on how to proceed and what information you will need to verify your identity and account status.
Online Eligibility Check
Individuals can also check eligibility through the official class action settlement website. The verification process may require:
Your last name
The last three digits of your Social Insurance Number
Your email address
This information is used to confirm whether your account was part of the impacted group and whether you fall within the compensation criteria.
How the Claims Process Works
Although each claim will be reviewed individually, the general process follows a standard structure.
Step 1: Submitting a Claim
Eligible individuals must submit a claim through the official settlement portal. This includes providing personal identification details and any required documentation.
Step 2: Verification
The claims administrator reviews submitted information and cross-references it with breach data to confirm eligibility.
Step 3: Assessment of Harm
The administrator determines whether the account was simply accessed or whether it was actively used for fraudulent purposes. This step is critical in determining eligibility for compensation.
Step 4: Payment Distribution
Approved claims will receive a payment from the settlement fund. The amount may vary depending on the number of valid claims and the extent of individual harm.
Why Not Everyone Will Receive Money
Although thousands of accounts were affected, the settlement fund is limited in size compared to the number of potential claimants.
There are several reasons not all class members will be compensated:
Some accounts were only minimally accessed without financial harm
The settlement prioritizes cases involving actual fraud or financial misuse
The total fund must be divided among all approved claimants
This means that even eligible individuals may receive different amounts depending on the severity of their case and the number of approved claims.
The Importance of the Case
This class action highlights the risks associated with large-scale digital government systems and the growing threat of credential-based cyberattacks.
It also underscores several key issues:
The importance of unique passwords for different online accounts
The risks of credential reuse across multiple platforms
The need for stronger multi-factor authentication systems
The challenges governments face in protecting centralized digital services
For many Canadians, the case serves as a reminder of how quickly personal data can be exposed when cybersecurity defenses are bypassed.
What Affected Individuals Should Do Now
If you believe you may be part of the affected group, it is important to take action promptly.
Check your email for official communication from the claims administrator
Visit the official settlement claims portal to verify eligibility
Gather any relevant documentation related to your CRA or Service Canada account
Submit your claim before the deadline once confirmed eligible
Even if you are unsure, checking your eligibility is worthwhile, as some individuals may not realize their accounts were accessed during the breach period.
Conclusion
The $8.7 million Government of Canada class action settlement represents the conclusion of a major privacy breach case involving CRA, Service Canada, and GCKey accounts. While thousands of Canadians were affected by unauthorized access attempts during 2020, only a subset of individuals will qualify for financial compensation.
Eligibility depends not only on being part of the breach period but also on whether accounts were actively compromised and used fraudulently between mid-June and late August 2020.