An $8.7M CRA settlement has been approved, and some Canadians may be eligible to claim more than $5,000

An $8.7M CRA settlement has been approved, and some Canadians may be eligible to claim more than $5,000

Stick to the Facts

Add Nbsla.ca as a Preferred Source on Google to see more of our stories in your search results.

Add as a preferred source on Google

Thousands of Canadians whose personal information was exposed during a major government cyberattack could soon receive compensation following the approval of a multimillion-dollar class action settlement. The settlement, valued at $8.7 million, comes after years of legal proceedings related to a series of cyberattacks that targeted online government accounts in 2020.

The cyber incidents affected tens of thousands of Canadians who relied on online services provided by the Canada Revenue Agency (CRA) and Service Canada. Sensitive personal and financial information was exposed, and in many cases, cybercriminals allegedly used the stolen data to submit fraudulent government benefit claims.

A Federal Court judge officially approved the settlement on May 5, 2026, bringing an important chapter of the case closer to resolution. While the Government of Canada has denied any wrongdoing, the settlement was reached to avoid the costs, risks, and delays associated with prolonged litigation.

For Canadians who believe their information may have been compromised, understanding the eligibility requirements and compensation process is essential. Here is everything you need to know about the settlement, who qualifies, and how much money may be available.

Understanding the CRA and Service Canada Data Breach

The class action lawsuit centered on a series of cyberattacks that targeted several Government of Canada online services during the summer of 2020.

Among the affected platforms were:

CRA My Account

CRA My Account is an online portal that allows Canadians to access tax information, file returns, review benefits, and manage personal tax records.

My Service Canada Account

This platform provides access to various federal services, including Employment Insurance, Canada Pension Plan benefits, and Old Age Security information.

GCKey Accounts

GCKey is a secure credential system used by Canadians to access numerous government services online. Because many government departments rely on GCKey authentication, a breach involving these accounts can have widespread consequences.

According to allegations made in the lawsuit, unauthorized third parties gained access to sensitive information stored within these government accounts. The plaintiffs argued that insufficient safeguards allowed cybercriminals to obtain access to confidential data belonging to thousands of Canadians.

How the Cyberattacks Happened

The attacks occurred between June 15 and August 30, 2020.

Cybercriminals used a technique commonly known as credential stuffing. This method does not typically involve breaking into government systems directly. Instead, hackers rely on usernames and passwords stolen from unrelated websites and services.

What Is Credential Stuffing?

Credential stuffing occurs when cybercriminals obtain login credentials from previous data breaches and then attempt to use those same credentials across multiple websites and platforms.

Many people reuse the same password across different online accounts. As a result, if a username and password combination is exposed during one breach, hackers may successfully use those credentials elsewhere.

In the case of the government attacks, cybercriminals allegedly used previously compromised login information to gain unauthorized access to CRA, Service Canada, and GCKey accounts.

Because many Canadians used passwords that had been exposed elsewhere, attackers were able to access government accounts without needing to bypass sophisticated security systems.

Fraudulent CERB Applications Raised Serious Concerns

One of the most significant consequences of the cyberattacks involved fraudulent applications for government benefits.

Criminals Exploited Pandemic Relief Programs

During the COVID-19 pandemic, the federal government introduced the Canada Emergency Response Benefit (CERB) to provide financial support to eligible Canadians affected by economic disruptions.

According to allegations in the lawsuit, some cybercriminals used stolen account access to submit fraudulent CERB applications in the names of victims.

This created significant challenges for affected Canadians.

Many individuals discovered unauthorized activity only after receiving notifications from government agencies, reviewing their account records, or noticing unusual financial transactions.

Victims often spent considerable time resolving issues related to identity theft, correcting government records, communicating with authorities, and protecting themselves from further fraud.

More Than 47,000 Canadians Were Affected

The scale of the breach was substantial.

Court documents indicate that more than 47,000 Canadians were impacted by the cyberattacks and subsequent unauthorized access to government accounts.

The affected individuals faced varying degrees of harm.

Some experienced only unauthorized access to their information, while others encountered more serious consequences, including fraudulent benefit applications, identity theft concerns, financial losses, and lengthy administrative processes required to restore account security.

The widespread nature of the incident prompted legal action against the federal government, ultimately resulting in the approved settlement.

Why the Government Agreed to a Settlement

Although the settlement has been approved, it is important to understand that the Government of Canada has not admitted liability.

No Admission of Wrongdoing

As is common in many class action cases, the government continues to deny allegations that it acted improperly.

The settlement agreement specifically states that compensation is being provided without any admission of fault, negligence, or legal responsibility.

Avoiding Lengthy Litigation

Class action lawsuits can take many years to resolve through trial and appeals.

By reaching a settlement, both parties avoid the uncertainty and expense associated with continued litigation.

For affected Canadians, the settlement provides a pathway to compensation without waiting for additional years of court proceedings.

Who Qualifies for the Settlement?

Not every individual whose information was involved in a government account breach will automatically qualify for compensation.

Specific eligibility requirements must be met.

Definition of a Class Member

You may be considered a class member if your personal or financial information stored in a Government of Canada online account was disclosed to an unauthorized third party between March 1, 2020, and December 31, 2020.

However, being a class member alone does not automatically guarantee payment.

Additional Requirements for Compensation

To receive compensation, individuals generally must fall within the group affected by the credential stuffing attacks that occurred between June 15 and August 30, 2020.

Additionally, the individual’s information must have been accessed or used for fraudulent purposes.

These requirements are intended to ensure that compensation is directed toward those most directly affected by the cyberattacks and resulting misuse of personal information.

How to Confirm Your Eligibility

Many affected Canadians have already received communications regarding the settlement.

Watch for a Notification from KPMG

KPMG has been appointed as the claims administrator for the settlement.

If you received an email from KPMG informing you about the settlement, this is a strong indication that you may be eligible to participate in the claims process.

Use the Online Eligibility Tool

Potential claimants can also verify their eligibility through the official settlement website.

The verification process generally requires:

  • Your last name
  • The last three digits of your Social Insurance Number (SIN)
  • Your email address

Providing this information allows the system to determine whether you are included within the settlement class.

Canadians should always ensure they are using the official settlement website and remain cautious of phishing emails or fraudulent websites attempting to collect personal information.

How Much Compensation Could You Receive?

The settlement establishes several categories of compensation depending on the type of harm experienced by affected individuals.

The amount each person receives will depend on their circumstances and supporting documentation.

Compensation for Time Spent Addressing Unauthorized Access

Eligible claimants may receive up to $80 for time spent dealing with unauthorized access to their government account.

Examples may include:

  • Contacting government agencies
  • Resetting passwords
  • Securing online accounts
  • Reviewing account activity
  • Responding to breach notifications

Compensation for Time Spent Addressing Fraudulent Use of Information

Individuals whose information was used fraudulently may qualify for additional compensation.

Eligible claimants may receive up to $200 for time spent addressing the fraudulent use of personal information.

This could include:

  • Communicating with financial institutions
  • Resolving identity theft issues
  • Contacting government departments
  • Monitoring credit reports
  • Correcting fraudulent records

Reimbursement for Out-of-Pocket Expenses

The largest category of compensation covers actual expenses related to the breach.

Eligible claimants may receive up to $5,000 in reimbursement for documented losses.

Potential reimbursable expenses may include:

  • Unreimbursed fraud losses
  • Identity theft recovery costs
  • Credit monitoring expenses
  • Legal fees related to the breach
  • Other directly connected financial losses

Documentation will likely be required to support these claims.

Individuals should begin gathering relevant records, receipts, correspondence, and evidence if they believe they may qualify for reimbursement.

What Happens Next?

Although the settlement has received court approval, the claims process has not yet officially opened.

No Claims Can Be Submitted Yet

At this stage, eligible Canadians do not need to submit anything.

The claims process will begin only after the court judgment becomes final and any remaining legal requirements are completed.

Instructions Will Be Sent to Eligible Individuals

Once the settlement administration process moves forward, eligible class members will receive detailed instructions regarding:

  • How to file a claim
  • Required documentation
  • Submission deadlines
  • Available compensation categories
  • Claim review procedures

Affected individuals should monitor their email accounts and regularly check official settlement updates to avoid missing important deadlines.

Why This Settlement Matters for Canadians

The approved settlement highlights growing concerns about cybersecurity, data protection, and identity theft in an increasingly digital world.

Government agencies, financial institutions, healthcare providers, and private businesses all maintain extensive collections of personal information. When that information becomes accessible to unauthorized individuals, the consequences can be severe.

For many victims of the 2020 attacks, the financial losses represented only part of the problem. Time spent correcting records, restoring account security, and dealing with stress related to identity theft also created significant burdens.

The settlement recognizes these impacts by providing compensation not only for direct financial losses but also for the time individuals invested in resolving issues caused by the breach.

Lessons Canadians Can Learn From the 2020 Cyberattacks

The attacks also serve as an important reminder about online security.

Use Unique Passwords

One of the primary reasons credential stuffing attacks succeed is password reuse.

Every online account should have its own unique password.

Enable Multi-Factor Authentication

Whenever possible, Canadians should activate multi-factor authentication to add an extra layer of protection beyond a password.

Monitor Financial Accounts Regularly

Frequent monitoring can help identify suspicious activity before significant damage occurs.

Update Passwords After Data Breaches

If a website announces a breach, affected users should immediately change passwords on all accounts that may share similar credentials.

Stay Alert for Fraud Attempts

Cybercriminals often use stolen information in phishing emails, text messages, and phone scams. Individuals should remain cautious when sharing personal information online.

Final Thoughts

The approval of the $8.7 million CRA and Service Canada data breach settlement marks an important development for more than 47,000 Canadians affected by the 2020 cyberattacks. While the Government of Canada continues to deny wrongdoing, the settlement provides a structured path toward compensation for individuals whose personal and financial information was exposed or misused.

Eligible Canadians may be able to claim compensation for time spent addressing unauthorized account access, resolving fraud issues, and recovering documented financial losses. Depending on individual circumstances, payments could reach as much as $5,000 for qualifying expenses.

Leave a Reply

Your email address will not be published. Required fields are marked *