
Thousands of Canadians impacted by a major cyberattack targeting federal government accounts are set to receive compensation after the federal government agreed to an $8.7 million settlement in a class-action lawsuit linked to hacked Canada Revenue Agency accounts during the COVID-19 pandemic.
The settlement closes a years-long legal battle tied to cyberattacks that exposed sensitive financial and personal information belonging to more than 47,000 Canadians in 2020. Hackers allegedly exploited weaknesses in government login systems to access accounts and fraudulently apply for pandemic relief programs such as the Canadian Emergency Response Benefit and the Canadian Emergency Student Benefit.
Court Approves Settlement for Victims of Government Account Hacks
The Federal Court officially approved the settlement after determining it was fair and reasonable for the affected class members. Federal Court Justice Richard Southcott stated in his ruling that the agreement was in the best interests of the class as a whole, despite concerns from some victims who argued the compensation was insufficient.
The lawsuit accused the federal government and the Canada Revenue Agency of failing to adequately protect online systems during a critical period when millions of Canadians were relying on digital government services amid pandemic lockdowns.
Victims claimed the security failures enabled cybercriminals to gain unauthorized access to online government portals, steal personal data, and redirect benefit payments into fraudulent bank accounts.
Hackers Exploited CRA and Government Login Systems During Pandemic
The cyberattacks took place over several months in 2020, at the height of emergency benefit distribution during the pandemic. According to court documents, attackers primarily targeted government accounts to fraudulently obtain COVID-19 financial assistance.
Personal Information Was Widely Exposed
The breach exposed a large amount of sensitive data, including:
Social insurance numbers
Home addresses
Banking details
Email addresses
Direct deposit information
For many victims, the attacks resulted not only in financial concerns but also long-term fears over identity theft and privacy violations.
Court filings described how cybercriminals impersonated victims to submit fraudulent benefit applications or reroute legitimate payments to different bank accounts controlled by scammers.
Lead Plaintiff Discovered Fraudulent CERB Applications
The court heard testimony from lead plaintiff Todd Sweet of Clinton, British Columbia, who discovered his account had been compromised in July 2020 after receiving notifications that his account email address had been changed.
When he logged into his CRA account, he found hackers had altered his banking information and submitted four CERB applications in his name.
His experience mirrored reports from many other Canadians who later came forward online with similar complaints involving unauthorized account access and suspicious benefit applications.
CRA Temporarily Shut Down Online Services
As reports of hacked accounts spread, the CRA temporarily suspended online services in August 2020 to contain the security issue and investigate the breach.
The class-action lawsuit was filed shortly afterward in British Columbia, alleging the agency’s security practices showed a disregard for the rights and privacy of affected Canadians.
Plaintiffs argued the government failed to properly secure its systems and did not respond quickly enough once signs of unauthorized access emerged.
Credential Stuffing Attack Played Central Role
Cybersecurity experts identified the attacks as a form of “credential stuffing,” a technique where hackers use usernames and passwords stolen from unrelated websites to gain access to accounts on other platforms.
Reused Passwords Became a Major Weakness
Many people reuse the same login credentials across multiple websites. Hackers exploited this behavior by testing previously leaked usernames and passwords against government portals.
Normally, CRA accounts required users to answer security questions after entering login credentials. However, court findings revealed that attackers were able to bypass those security questions due to a software misconfiguration within CRA credential management systems.
Dark Web Alert Exposed the Vulnerability
Court documents stated the CRA learned about the vulnerability on Aug. 6, 2020, after a law enforcement partner warned officials that methods for bypassing account protections were being sold on the dark web.
The agency reportedly fixed the issue four days later and implemented additional security measures to respond to the breach.
Hackers also used similar methods to access My Service Canada Accounts and other government services connected through the GCKey authentication system.
How the $8.7 Million Settlement Will Be Distributed
A large portion of the settlement fund has been designated for Canadians whose personal information was accessed through credential stuffing attacks between June 26 and Aug. 18, 2020.
Compensation for Time and Inconvenience
Eligible claimants may receive compensation based on how the breach affected them.
People whose information was accessed can claim payment for time lost and inconvenience at a rate of $20 per hour for up to four hours, allowing for a maximum payment of $80.
Higher Payments for CERB Fraud Victims
Individuals whose information was used to fraudulently apply for CERB or whose legitimate payments were redirected may claim compensation at the same hourly rate for up to 10 hours, allowing a maximum payout of $200.
Reimbursement for Identity Theft Costs
Victims may also seek reimbursement of up to $5,000 for eligible out-of-pocket expenses related to identity theft or fraud following the breach.
These expenses may include:
Credit monitoring fees
Unauthorized banking or credit card charges
Administrative costs linked to restoring identity records
Other financial losses tied to the breach
KPMG to Manage the Claims Process
The settlement process will be administered by KPMG, which has established a dedicated claims website for affected individuals.
The settlement also covers legal fees, administrative expenses, and honorariums for representative plaintiffs involved in the lawsuit.
Any leftover or unclaimed settlement money will not return to the federal government. Instead, remaining funds will be donated to the Privacy and Access Council of Canada to support privacy-related research and initiatives.
Some Victims Say Settlement Falls Short
Although the court approved the agreement, some class members expressed dissatisfaction with the compensation amount.
Twenty-nine individuals formally objected to the settlement, with many arguing the payouts did not adequately reflect the emotional, financial, and psychological harm caused by the breach.
Justice Southcott acknowledged in his ruling that the settlement could be considered inadequate for some people who experienced severe financial or mental hardship as a result of the attacks.
Still, he concluded the agreement represented a reasonable compromise for the broader class of affected Canadians.
Cybersecurity Concerns Continue to Grow
The case has become one of the most significant examples of how vulnerable digital government services can become during periods of crisis and rapid online expansion.
It also highlighted the risks associated with password reuse and the growing threat posed by credential stuffing attacks, which continue to target government agencies, financial institutions, and major online platforms worldwide.
The breach prompted renewed discussions around stronger cybersecurity protections, multi-factor authentication, and faster response systems for federal online services handling sensitive citizen information.


Leave a Reply