The federal government will pay $8.7 million in settlement of a class-action lawsuit tied to a major 2020 cyberattack that compromised thousands of Canada Revenue Agency (CRA) accounts and other federal online services. The breach affected more than 47,000 Canadians, exposing sensitive personal and financial information including SIN numbers, home addresses, and banking details.
Hackers reportedly used a method known as “credential stuffing,” where stolen usernames and passwords from other websites were reused to access government accounts. Court documents revealed attackers were able to bypass CRA security questions due to a software misconfiguration, allowing fraudulent CERB and CESB claims to be filed in victims’ names during the height of the COVID-19 pandemic.
Federal Court Justice Richard Southcott approved the settlement this week, calling it “fair, reasonable, and in the best interests of the class as a whole.” While the government denied any wrongdoing, plaintiffs argued the CRA failed to adequately secure its systems and respond quickly enough after discovering the breach.
Under the settlement, eligible Canadians can claim compensation for lost time, inconvenience, fraudulent benefit claims, and identity theft-related expenses. Some victims may receive up to $5,000 for out-of-pocket costs linked to the breach. KPMG will administer the settlement process through a dedicated class-action website.
