The Canadian federal government has agreed to pay $8.7 million under a proposed class-action settlement tied to a major 2020 credential-stuffing cyberattack that exposed personal and financial information through Government of Canada online accounts, including Canada Revenue Agency accounts and services accessed through GCKey.
The Federal Court approved the settlement this week, ending a years-long legal battle over a wave of cyberattacks that unfolded during the early months of the COVID-19 pandemic. Hackers targeted online government accounts largely to apply for emergency financial aid programs such as the Canada Emergency Response Benefit (CERB) and the Canada Emergency Student Benefit (CESB).
According to court filings, more than 47,000 Canadians had sensitive information compromised between June and August 2020. Exposed data included social insurance numbers, home addresses, dates of birth, banking details and other taxpayer information stored inside federal online portals.
The lead plaintiff in the case, Todd Sweet of Clinton, British Columbia, discovered his CRA account had been hacked after receiving emails stating that the address connected to his account had been changed. When he logged in, he found fraudsters had altered his direct deposit information and filed multiple CERB claims in his name.
As similar reports surfaced across Canada, the CRA temporarily shut down online account services in August 2020 after thousands of Canadians reported suspicious activity or unauthorized changes to their accounts.
The settlement has quickly become one of the most discussed legal and cybersecurity stories in the country this week, alongside other developments covered in our latest Canada news and policy coverage.
How the CRA breach happened
The attacks were linked to a cybercrime tactic known as âcredential stuffing,â where hackers use usernames and passwords stolen from unrelated websites to try logging into other accounts. Cybersecurity experts say the method often succeeds because many people reuse the same passwords across multiple online services.
Normally, CRA MyAccount users were required to answer security questions as an additional verification step after entering their username and password. However, Federal Court Justice Richard Southcott previously noted that attackers were able to bypass those security questions because of what court documents described as a âmisconfigurationâ in the CRAâs credential management software.
The court heard that the CRA became aware of the problem on Aug. 6, 2020, after a law enforcement partner informed officials that instructions for bypassing the system were being sold on the dark web. The issue was reportedly fixed four days later, alongside other emergency security measures introduced by the agency.
Hackers also used the same credential stuffing strategy to gain access to My Service Canada Accounts and other federal services linked through the Government of Canadaâs GCKey login system during the same period.
The class-action lawsuit alleged the federal government and CRA failed to properly secure their online systems and did not respond quickly enough after discovering the breach. Court filings described the handling of the attacks as âreprehensibleâ and accused the government of showing âcallous disregardâ for affected Canadians.
In response, the CRA has maintained that protecting taxpayer information remains a priority. In a public statement, the agency said no organization is completely immune from cyber threats and emphasized that it continues to use monitoring and detection systems to identify suspicious activity.
Who can claim compensation?
Roughly $6 million from the settlement fund has been allocated to Canadians whose information was accessed through credential stuffing attacks on CRA and related government accounts between June 26 and Aug. 18, 2020.
Eligible claimants may receive compensation based on how they were affected by the breach. Individuals whose information was accessed can claim reimbursement for lost time and inconvenience at a rate of $20 per hour for up to four hours, allowing for a maximum payment of $80.
Read More
People whose personal information was used to fraudulently apply for CERB or redirect legitimate payments can claim compensation at the same hourly rate for up to 10 hours, increasing the potential payout to $200.
Victims who suffered direct financial losses connected to identity theft may also seek reimbursement of up to $5,000 for eligible out-of-pocket expenses. Those costs may include unauthorized credit card charges, identity monitoring services, legal fees, banking expenses or other fraud-related financial losses incurred within a year of the breach.
The settlement will be administered by KPMG, which has launched an official claims website where Canadians can check eligibility requirements and submit claims. More details are available through the official settlement administrator portal.
The remaining settlement funds will cover legal fees, administration expenses and special honorariums awarded to representative plaintiffs involved in the case.
Under the agreement, any unclaimed money will not return to the federal government. Instead, leftover funds will be donated to the Privacy and Access Council of Canada to support privacy and cybersecurity research initiatives.
Although the settlement received court approval, not everyone supported the outcome. Court records show that 29 people objected to the agreement, with most arguing the compensation amounts were too low considering the financial and emotional stress caused by the breach.
Justice Southcott acknowledged in his ruling that the settlement could be âwholly inadequateâ for some victims, particularly those who experienced significant emotional, physical or financial harm. However, he concluded that the agreement still represented a fair and reasonable resolution for the broader class of affected Canadians.
The case has also become a wider warning about the risks of password reuse and the growing threat of identity theft tied to large online government systems. Cybersecurity experts continue to advise Canadians to use unique passwords for sensitive accounts, enable multi-factor authentication whenever possible and monitor financial activity regularly.
For many Canadians affected during the pandemic, the settlement may not erase the stress and disruption caused by the attacks. But it represents one of the largest Canadian government payouts linked to a cyber breach involving taxpayer accounts and COVID-era benefit fraud.
Make Swikblog your go-to source on Google for reliable updates, smart insights, and daily trends.
