Ottawa settles lawsuit with Canadians whose CRA accounts were hacked for $8.7M
Posted on: Aug 22, 2025 15:28 IST | Posted by: Cbc
The union soldier authorities testament make up $8.7 jillion to settle a class-action lawsuit involving tens of thousands of Canadians whose sensitive information was compromised or stolen when hackers got into their accounts on government websites, including the Canada Revenue Agency (CRA) portal.
Hackers targeted government accounts over several months in 2020 largely for the purpose of applying for financial aid in the victims' names during the earliest months of the COVID-19 pandemic, including the Canadian Emergency Relief Benefit (CERB) or the Canadian Emergency Student Benefit (CESB).
More than 47,000 people had their personal and financial information compromised that summer alone, from social insurance numbers and home addresses to details of their bank accounts.
The class-action settlement reached last December was approved in court on Tuesday. Some taxpayers can claim more than others, depending on how they were affected.
"I find that the proposed settlement is fair, reasonable, and in the best interests of the class as a whole," Federal Court Justice Richard Southcott wrote in his decision.
The agreement brings to an end a years-long legal battle, in which victims claimed government and CRA "failings" allowed at least three cyberattacks over the course of the year. Court filings said hackers used private information to impersonate victims, file fraudulent claims under the emergency programs or divert authentic claims to other bank accounts.
The CRA did not respond to a request for comment by deadline, but released a statement about the settlement when it was proposed last December.
"The ... Settlement is a compromise of disputed claims and is not an admission of liability or wrongdoing or fault by any of the defendants," it read. "The Government of Canada denies that it did anything wrong."
Court heard the lead plaintiff, Todd Sweet of Clinton, B.C., discovered his account had been hacked in July 2020 after he received emails notifying him the email address associated with his account had been changed. He logged into the CRA's online portal to find someone had changed his direct deposit information and filed four applications for CERB in his name.
The next month, the CRA temporarily shut down its online services after other Canadians shared similar stories online. The lawsuit was filed in B.C. Weeks later, claiming the agency's failure to properly secure the website or more quickly detect the breach "reprehensible and showed a callous disregard for the rights of [victims]."
Hackers got into the victims' MyAccount CRA profiles through what cybersecurity experts call "credential stuffing," a scheme in which thieves use usernames and passwords leaked from one website to login to another. (The method is one of the reasons why users are encouraged to create strong, unique passwords for each of their online accounts rather than recycling login information.)
Typically, the correct username and password are only the first step to log in to the CRA's MyAccount portal — users usually need to answer a security question as Step 2. But during the breach in the summer of 2020, Southcott previously wrote, hackers were “able to bypass the security questions ... Because of a misconfiguration in CRA’s credential management software."
Court filings said the CRA found out about the problem on Aug. 6, 2020, when a "law enforcement partner" alerted officials that someone was selling the method on the dark web. Southcott said the agency fixed the issued four days later, "among other steps taken to respond to the data breach."
Hackers used the same scheme that summer to get into My Service Canada Accounts and other online government accounts accessed with the Government of Canada branded credential service key, known as GCKey.
Roughly $6 million of the $8.7 million settlement has been set aside for Canadians whose information was accessed from all of those government websites with the "credential stuffing" method between between June 26 and Aug. 18, 2020. The rest of the settlement covers legal fees, special honorariums for key plaintiffs — including Sweet — and administrative costs.
People whose personal information was accessed in the relevant time period can claim $20 an hour for their lost time and "inconvenience," for up to four hours – a maximum payout of $80. If hackers used their information to apply for fraudulent CERB benefits or divert legitimate CERB payments, they can bill the government at the same rate up to $200.
The settlement will be administered by KPMG, which created a website for the class action.
Both groups can claim up to $5,000 for out-of-pocket costs they might have paid in the year after the hack in relation to identity theft, like credit card charges or other fees.
If there's any money from the settlement amount left over or left unclaimed, it won't stay with the government: Ottawa agreed to donate any excess to the Privacy and Access Council of Canada to fund privacy research.
Twenty-nine people — far less than one per cent of the class — objected to the settlement for various reasons, though the ruling said most disapproved because they believed the dollar amount was too low. Southcott said those people have a period of time to opt out of the class action, which would allow them to file a lawsuit on their own if they wished.
In his decision, Southcott acknowledged the settlement might "be wholly inadequate" for some victims, "particularly those who allege that they have suffered significant mental, physical, and financial harm." Still, he said the deal is meant to provide "a reasonable level of compensation" for the class as a whole.
Global News Perspectives
In today's interconnected world, staying informed about global events is more important than ever. ZisNews provides news coverage from multiple countries, allowing you to compare how different regions report on the same stories. This unique approach helps you gain a broader and more balanced understanding of international affairs. Whether it's politics, business, technology, or cultural trends, ZisNews ensures that you get a well-rounded perspective rather than a one-sided view. Expand your knowledge and see how global narratives unfold from different angles.
Customizable News Feed
At ZisNews, we understand that not every news story interests everyone. That's why we offer a customizable news feed, allowing you to control what you see. By adding keywords, you can filter out unwanted news, blocking articles that contain specific words in their titles or descriptions. This feature enables you to create a personalized experience where you only receive content that aligns with your interests. Register today to take full advantage of this functionality and enjoy a distraction-free news feed.
Like or Comment on News
Stay engaged with the news by interacting with stories that matter to you. Like or dislike articles based on your opinion, and share your thoughts in the comments section. Join discussions, see what others are saying, and be a part of an informed community that values meaningful conversations.
Download the Android App
For a seamless news experience, download the ZisNews Android app. Get instant notifications based on your selected categories and stay updated on breaking news. The app also allows you to block unwanted news, ensuring that you only receive content that aligns with your preferences. Stay connected anytime, anywhere.
Diverse News Categories
With ZisNews, you can explore a wide range of topics, ensuring that you never miss important developments. From Technology and Science to Sports, Politics, and Entertainment, we bring you the latest updates from the world's most trusted sources. Whether you are interested in groundbreaking scientific discoveries, tech innovations, or major sports events, our platform keeps you updated in real-time. Our carefully curated news selection helps you stay ahead, providing accurate and relevant stories tailored to diverse interests.
No comments yet.