The federal government has agreed to pay $8.7 million to settle a class action lawsuit involving Canadians whose personal and financial information was compromised through online government accounts, including Canada Revenue Agency accounts. According to CBC News, the settlement was approved by the Federal Court after a years long legal dispute connected to cyberattacks that took place during the early months of the COVID 19 pandemic.
The breach affected tens of thousands of Canadians in 2020, when hackers accessed government accounts and used stolen information to apply for emergency benefits such as the Canada Emergency Response Benefit and the Canada Emergency Student Benefit. More than 47,000 people had sensitive information exposed that summer, including social insurance numbers, home addresses, and banking details.
Court filings said the attacks involved hackers impersonating victims, submitting fraudulent benefit applications, or redirecting legitimate payments into other accounts. The lead plaintiff, Todd Sweet of Clinton, British Columbia, discovered his account had been compromised after receiving emails that his account information had been changed. He later found that his direct deposit information had been altered and that multiple CERB applications had been filed in his name.
According to CBC News, the hackers used a method known as credential stuffing, where usernames and passwords leaked from one website are used to break into accounts on another platform. The court heard that hackers were able to bypass CRA security questions because of a software misconfiguration. The CRA learned about the issue in August 2020 after being alerted that the method was being sold on the dark web, and the problem was later fixed.
The CRA has said that protecting Canadians’ personal information remains a priority and that no organization is fully immune from cyber incidents or fraud. The agency stated that it has systems in place to monitor, detect, investigate, and respond to potential threats. More Canada related coverage can be found at Weekly Voice and in the Canada news section.
Under the settlement, roughly $6 million has been set aside for affected Canadians whose information was accessed through government websites using the credential stuffing method between June 26 and August 18, 2020. Some eligible individuals may claim compensation for lost time and inconvenience, while those who had fraudulent CERB applications filed or payments diverted may qualify for higher payments. Victims may also be able to claim up to $5,000 for certain out of pocket costs linked to identity theft.
The settlement will be administered by KPMG through a dedicated class action website. If any money remains unclaimed, Ottawa has agreed that the balance will be donated to the Privacy and Access Council of Canada to support privacy research. Federal Court Justice Richard Southcott acknowledged that the compensation may not fully satisfy every victim, especially those who suffered serious harm, but ruled that the agreement was fair and reasonable for the class as a whole.
