New CRA My Account Breach Claims Offering Up to $5,280 in Payouts

Thousands of Canadians affected by one of the largest government account security breaches in recent history are approaching an important deadline. Following years of legal proceedings, the Federal Court has approved a multimillion-dollar settlement related to the 2020 cyberattacks that compromised CRA My Account, My Service Canada Account, and other Government of Canada online services.

The court-approved settlement, valued at approximately $8.76 million, is expected to provide compensation to eligible Canadians whose personal and financial information was exposed during credential-stuffing attacks that occurred in 2020. Once the claims process officially opens, qualifying individuals will have a limited period to submit their applications and potentially receive compensation of up to $5,280, depending on the extent of their losses and the supporting documentation they provide.

As the claims portal prepares to launch, affected Canadians should understand who qualifies, how much compensation may be available, what documents will be required, and how to avoid scams that are already attempting to exploit public interest in the settlement.

Understanding the CRA Data Breach and Class Action Settlement

The settlement stems from a series of cyberattacks that targeted Government of Canada online accounts during the early months of the COVID-19 pandemic.

Between June 15 and August 30, 2020, cybercriminals used a technique known as credential stuffing to gain unauthorized access to thousands of government accounts. This attack method relies on usernames and passwords stolen from unrelated data breaches and then tested across multiple websites and platforms in hopes that individuals reused the same login credentials.

Because many Canadians used identical passwords across multiple services, attackers successfully gained access to numerous government accounts linked to tax records, benefits programs, and personal information.

The compromised accounts included:

• CRA My Account
• My Service Canada Account
• GCKey-linked federal government accounts
• Other Government of Canada online services accessed through GCKey credentials

The breach exposed sensitive information that could include social insurance numbers, banking details, addresses, phone numbers, tax records, and benefit information.

In some instances, attackers used stolen account access to file fraudulent pandemic-related benefit applications, including claims for emergency support programs introduced during COVID-19.

How the Credential Stuffing Attacks Affected Canadians

The impact of the attacks extended far beyond unauthorized account access.

Many affected individuals discovered that their direct deposit information had been changed without permission. As a result, legitimate government payments were redirected to bank accounts controlled by cybercriminals.

Others found fraudulent applications submitted in their names for emergency government benefits. Victims often spent weeks or months communicating with federal agencies, financial institutions, law enforcement, and credit bureaus to resolve the resulting issues.

For some Canadians, the breach led to financial losses, damaged credit records, identity theft concerns, and substantial time spent restoring account security.

Government investigations later revealed that more than 47,000 online federal accounts were compromised during the attacks, making it one of the most significant cybersecurity incidents involving Canadian government services.

Who Is Eligible for the CRA Data Breach Settlement?

Not everyone affected by government account security concerns during 2020 automatically qualifies for compensation.

To be considered a member of the settlement class, an individual’s personal or financial information must have been disclosed without authorization through a Government of Canada online account between March 1 and December 31, 2020.

However, compensation eligibility focuses specifically on those impacted by the credential-stuffing attacks that occurred between June 15 and August 30, 2020.

Eligible Account Types

Individuals may qualify if they held one of the following accounts:

CRA My Account

This online portal allows Canadians to access tax information, notices of assessment, benefit records, direct deposit details, and other tax-related services.

My Service Canada Account

This platform provides access to federal benefits and programs, including Employment Insurance, Canada Pension Plan benefits, and Old Age Security information.

GCKey Accounts

Any federal government account accessed through GCKey credentials may also be included if personal information was compromised during the attack period.

Individuals Excluded from the Settlement

Certain individuals are not eligible to receive compensation.

Canadians who contacted Murphy Battista LLP regarding the CRA privacy breach class action before June 24, 2021, are categorized as excluded persons under the settlement agreement.

Additionally, individuals who formally opted out of the settlement before the established deadline are not eligible to submit claims.

How Much Compensation Can Eligible Canadians Receive?

The settlement establishes three separate compensation categories based on the severity of the impact experienced by affected individuals.

Each category has different eligibility requirements and compensation limits.

Tier One Compensation: Unauthorized Access Claims

The first compensation category applies to individuals whose account information was accessed without authorization but was not subsequently used for fraudulent activity.

Eligible claimants can receive compensation for time spent addressing the consequences of the breach.

Maximum Available Compensation

The settlement provides compensation at a rate of $20 per hour for up to four hours.

This means the maximum Tier One payment is $80.

Qualifying Activities

Examples of qualifying activities include:

• Contacting the CRA
• Communicating with Service Canada
• Reporting the breach
• Updating passwords and account security settings
• Contacting financial institutions
• Communicating with credit reporting agencies

Tier Two Compensation: Fraud-Related Claims

The second compensation category applies when stolen information was actually used for fraudulent purposes.

This category recognizes that victims often spend significantly more time resolving identity theft and unauthorized government benefit claims.

Maximum Available Compensation

Compensation remains set at $20 per hour but allows for up to ten claimable hours.

The maximum Tier Two payment is therefore $200.

Examples of Fraud-Related Situations

Qualifying circumstances may include:

• Fraudulent CERB applications
• Fraudulent CESB applications
• Unauthorized direct deposit changes
• Incorrect tax slips generated by fraudulent claims
• Misdirected government payments
• Identity theft investigations

Tier Three Compensation: Special Reimbursement Fund

The largest compensation category is reserved for Canadians who experienced direct financial losses or incurred expenses because of the breach.

This fund reimburses documented costs related to identity theft recovery and financial harm.

Maximum Available Compensation

Eligible individuals may receive reimbursement of up to $5,000.

Examples of Eligible Expenses

Potential reimbursable expenses include:

• Credit monitoring subscriptions
• Identity theft recovery services
• Legal assistance fees
• Professional consulting costs
• Replacement identification documents
• Banking fees related to fraud
• Unreimbursed financial losses
• Credit repair expenses

Claimants must provide supporting documentation demonstrating that the expenses were directly connected to the breach.

What Is the Maximum Settlement Payment Available?

Individuals who qualify under all three compensation categories may receive a combined maximum payout of $5,280.

The calculation includes:

• Up to $80 under Tier One
• Up to $200 under Tier Two
• Up to $5,000 under Tier Three

However, receiving the maximum amount is expected to be relatively uncommon because many claimants may only qualify under one category.

Why Most Canadians Will Receive Less Than $5,280

While headlines frequently focus on the maximum compensation amount, most settlement participants are unlikely to receive the full payout.

Several factors contribute to this reality.

Most Claims Fall Under the Basic Access Category

Many affected individuals experienced unauthorized account access but did not suffer documented fraud or financial losses.

These individuals are generally limited to Tier One compensation.

Documentation Requirements Are Stricter for Larger Claims

The highest reimbursement category requires substantial supporting evidence.

Without receipts, invoices, bank records, or other proof of loss, claimants may not qualify for significant reimbursements.

Payments May Be Reduced Proportionally

Approximately $6 million of the settlement fund is designated for class member compensation.

If total approved claims exceed the available amount, payments may be reduced on a proportional basis across eligible claimants.

As a result, final compensation amounts may differ from the stated maximums.

Important Dates in the CRA Settlement Timeline

The settlement process has unfolded over several years.

Summer 2020

Credential-stuffing attacks compromise more than 47,000 federal government accounts.

August 2020

The class action lawsuit is initiated against the Government of Canada.

August 2022

The Federal Court certifies the class action, allowing the lawsuit to proceed on behalf of affected Canadians.

December 2025

Settlement negotiations conclude with an agreement between the federal government and class counsel.

February 2026

Deadlines for objections and opt-outs pass.

March 2026

The Federal Court conducts the settlement approval hearing.

May 2026

The court officially approves the settlement agreement.

Summer 2026

The claims portal is expected to become available following the expiration of the appeal period.

Six Months After Portal Launch

The deadline for filing settlement claims is expected to occur six months after the claims portal opens.

How to Verify Your Eligibility Before Claims Open

Affected Canadians do not need to wait for the claims portal launch to begin preparing.

Review Settlement Communications

Individuals should carefully check both their inbox and spam folders for any notices regarding the settlement.

Official communications have been sent to many eligible class members.

Confirm Account History

Anyone who experienced unauthorized account activity, suspicious benefit claims, or unexpected changes to direct deposit information during 2020 should review any records they retained from that period.

Gather Supporting Documentation

Collecting documents now can make the claims process much easier once submissions begin.

Important records may include:

• CRA correspondence
• Service Canada notices
• Credit bureau communications
• Police reports
• Bank statements
• Fraud investigation records
• Credit monitoring invoices
• Identity theft recovery expenses

Documents That Can Strengthen a Settlement Claim

The quality of documentation submitted can significantly influence claim outcomes.

Government Correspondence

Official letters confirming unauthorized account access or account modifications may support eligibility.

Financial Records

Bank statements showing unauthorized transactions or redirected deposits may help substantiate losses.

Fraud Reports

Police reports, fraud case numbers, and identity theft investigations can provide valuable evidence.

Credit Protection Expenses

Receipts for credit monitoring services or fraud prevention tools may support reimbursement claims.

Professional Service Invoices

Invoices from lawyers, accountants, cybersecurity consultants, or identity recovery specialists may qualify under the reimbursement category if directly connected to the breach.

How to Protect Yourself from CRA Settlement Scams

Whenever a large settlement receives public attention, fraudsters attempt to exploit potential claimants.

Canadians should remain cautious and verify all communications carefully.

No Upfront Payment Is Required

Legitimate settlement administrators will never request a fee to release compensation funds.

Any request for advance payment should be considered fraudulent.

Be Suspicious of Unsolicited Messages

Unexpected text messages, emails, or phone calls promising immediate settlement payments should be treated with caution.

Avoid Clicking Unknown Links

Cybercriminals frequently create fake websites designed to steal personal information.

Always verify website addresses before entering sensitive details.

Never Share Sensitive Information Unnecessarily

Claimants should not provide banking details, passwords, social insurance numbers, or verification codes unless they are certain they are communicating through authorized settlement channels.

Preparing for the Claims Process

Although the official claims period has not yet begun, eligible Canadians can take several proactive steps.

Review your account records from 2020, gather any evidence related to unauthorized access or fraud, organize receipts and financial records, and ensure that your CRA My Account and My Service Canada Account use strong, unique passwords.

Being prepared before the claims portal opens can simplify the filing process and help ensure that all eligible compensation categories are properly claimed.