Stick to the Facts
Add Nbsla.ca as a Preferred Source on Google to see more of our stories in your search results.
Thousands of Canadians affected by the massive Canada Revenue Agency data breaches are finally set to receive compensation after the federal government agreed to an $8.7 million settlement in a long-running class-action lawsuit tied to hacked CRA accounts during the COVID-19 pandemic.
The cra data breach lawsuit settlement marks one of the most significant cyberattack-related settlements involving federal government systems in recent years. The case centered on the Canada Revenue Agency data breaches that exposed sensitive financial and personal information of tens of thousands of taxpayers when hackers infiltrated online government accounts in 2020.
The Federal Court officially approved the settlement this week, ending years of legal battles between affected Canadians and Ottawa over the handling of the cyberattacks targeting CRA’s MyAccount portal and other federal online services.
Canada Revenue Agency Data Breaches Exposed Thousands of Canadians
The Canada Revenue Agency data breaches occurred during the early months of the COVID-19 pandemic when hackers specifically targeted online government systems to fraudulently apply for emergency financial benefits like the Canada Emergency Response Benefit (CERB) and the Canada Emergency Student Benefit (CESB).
According to court documents, more than 47,000 Canadians had highly sensitive information compromised between June and August 2020. The stolen data included:
- Social Insurance Numbers (SINs)
- Banking information
- Home addresses
- Email addresses
- Direct deposit details
- Taxpayer account information
The Canada Revenue Agency data breaches quickly became one of the biggest cybersecurity controversies during the pandemic as victims discovered fraudulent CERB applications filed in their names and legitimate benefit payments redirected into unknown bank accounts.
Federal Court Justice Richard Southcott approved the settlement, stating that the agreement was “fair, reasonable, and in the best interests of the class as a whole.”
How Hackers Accessed CRA Accounts During the Canada Revenue Agency Data Breaches
Court filings revealed that hackers used a cyberattack technique known as “credential stuffing” to gain access to CRA accounts.
Credential stuffing happens when criminals use usernames and passwords leaked from unrelated websites and attempt to use those same login credentials on government portals or banking platforms. Because many people reuse passwords across multiple websites, hackers were able to successfully access thousands of accounts.
Under normal circumstances, the CRA’s MyAccount system required users to answer additional security questions after entering login details. However, the court heard that during the Canada Revenue Agency data breaches, hackers were able to bypass those security protections because of a misconfiguration in the CRA’s credential management software.
According to court records, the CRA became aware of the issue on Aug. 6, 2020 after a law enforcement partner warned officials that cybercriminals were selling the bypass method on the dark web.
The agency reportedly corrected the issue four days later while temporarily shutting down online services as investigations intensified.
The same hacking technique was also used to target:
- My Service Canada Accounts
- GCKey-linked federal government accounts
- Other online government services connected to federal login systems
CRA Data Breach Lawsuit Settlement Details
The approved cra data breach lawsuit settlement totals $8.7 million, with approximately $6 million specifically reserved for victims whose personal information was compromised during the Canada Revenue Agency data breaches and related federal account breaches.
The remaining funds will cover:
- Legal fees
- Administrative costs
- Compensation for representative plaintiffs
- Settlement management expenses
KPMG has been appointed to administer the settlement and process claims submitted by affected Canadians.
Compensation Amounts Under the CRA Data Breach Lawsuit Settlement
Eligible Canadians may receive compensation depending on how severely they were impacted by the Canada Revenue Agency data breaches.
Victims can claim:
- Up to $80 for lost time and inconvenience
- Up to $200 if fraudulent CERB claims were filed using their information
- Up to $5,000 for out-of-pocket expenses linked to identity theft or fraud
Examples of reimbursable costs include:
- Fraud-related banking charges
- Credit monitoring expenses
- Identity theft recovery costs
- Legal or administrative fees caused by the breach
The settlement also includes a provision stating that any unclaimed money will not return to the federal government. Instead, leftover funds will reportedly be donated to the Privacy and Access Council of Canada to support privacy and cybersecurity research initiatives.
Lead Plaintiff Discovered Fraudulent CERB Applications
The lawsuit was led by Todd Sweet of Clinton, who discovered his CRA account had been compromised after receiving notifications that changes had been made to his account information.
When he logged into the CRA portal, he found hackers had:
- Changed his email address
- Updated direct deposit banking details
- Submitted four CERB applications in his name
The lawsuit alleged that government failures allowed at least three separate cyberattacks to occur throughout 2020 and argued that officials failed to properly secure taxpayer information or detect suspicious activity quickly enough.
Court documents described the government’s response as inadequate and accused officials of showing “callous disregard” for victims affected by the Canada Revenue Agency data breaches.
Federal Government Responds to CRA Data Breach Settlement
In response to the settlement approval, the CRA said protecting taxpayer information remains a top priority.
The agency noted that no organization is completely immune to cyberattacks and said it has strengthened monitoring systems and security tools since the 2020 incidents.
The Canada Revenue Agency has since encouraged Canadians to:
- Use strong and unique passwords
- Enable multi-factor authentication
- Monitor CRA account activity regularly
- Avoid reusing login credentials across multiple websites
Cybersecurity experts continue to warn Canadians that credential stuffing attacks remain one of the most common threats facing online accounts worldwide.
Some Victims Say the CRA Data Breach Lawsuit Settlement Is Too Low
Although the court approved the settlement, not everyone affected by the Canada Revenue Agency data breaches supports the compensation amounts.
According to the ruling, 29 individuals objected to the settlement, with many arguing the payouts were too small considering the emotional, financial, and mental stress caused by identity theft and fraud.
Justice Southcott acknowledged that the settlement may feel “wholly inadequate” for some victims who experienced severe harm. However, he concluded the agreement still provided a reasonable level of compensation for the broader group of affected Canadians.
Those who disagree with the settlement still have the option to opt out and pursue separate legal action independently.
Canada Revenue Agency Data Breaches Raise Ongoing Cybersecurity Concerns
The Canada Revenue Agency data breaches continue to serve as a warning about the growing risks tied to digital government services and online identity theft.
As more Canadians rely on online portals for taxes, government benefits, banking, and personal records, cybersecurity experts say strong password habits and additional account protections are more important than ever.
The cra data breach lawsuit settlement may close the legal chapter surrounding the 2020 attacks, but the Canada Revenue Agency data breaches remain one of the clearest examples of how vulnerable sensitive government systems can become during periods of crisis and rapid demand.