The federal government has agreed to pay $8.76 million to resolve a class-action lawsuit brought by tens of thousands of Canadians whose personal information was exposed in cyberattacks on federal online services, including the Canada Revenue Agency’s (CRA) My Account portal.
The settlement covers people whose data was compromised between March 1 and December 31, 2020, when hackers accessed government accounts and, in many cases, used stolen credentials to apply for emergency COVID-19 benefits.
According to court documents, roughly 47,000 government accounts were infiltrated in the early months of the pandemic, allowing fraudsters to submit claims for programs such as the Canada Emergency Response Benefit (CERB) and the Canada Emergency Student Benefit (CESB) in victims’ names.
The intrusions were carried out using a technique known as “credential stuffing,” where attackers reuse usernames and passwords stolen from other websites to break into different online accounts. In this case, a misconfiguration in the CRA’s login security allowed hackers to bypass additional verification steps and take over thousands of profiles.
Exposed information included social insurance numbers, dates of birth, tax records, direct deposit banking details, records of employment, and other benefits-related data.
Under the terms of the agreement, approved this week by the Federal Court, compensation will be paid on a tiered basis. Individuals whose information was accessed but not used for fraud can claim up to $80, calculated at $20 per hour for up to four hours of time spent dealing with the fallout. Those whose data was used to commit financial fraud, such as filing bogus benefit claims or redirecting legitimate payments, can receive up to $200 for time spent resolving the issue.
The total settlement amount of $8,760,500.90 includes payments to class members, legal fees, taxes and administration costs.
In addition to time-based compensation, a separate reimbursement fund has been created for out-of-pocket losses. Eligible class members can claim up to $5,000 for expenses incurred in the year following the breach, such as costs related to identity theft, credit monitoring, or fees stemming from fraudulent activity tied to the hacked accounts.
The agreement brings to a close a multi-year legal fight that accused the federal government and the CRA of failing to adequately secure online portals and detect intrusions in a timely manner. Plaintiffs argued those shortcomings allowed cybercriminals to gain access to highly sensitive data and exploit federal relief programs during a period of heightened vulnerability.
In his approval of the settlement, Federal Court Justice Richard Southcott acknowledged that some individuals may feel the compensation does not fully reflect the harm they experienced. However, he concluded that the overall package strikes an appropriate balance between the risks of continued litigation and the benefits of prompt, guaranteed recovery for the class.
"I find that the proposed settlement is fair, reasonable, and in the best interests of the class as a whole," Federal Court Justice Richard Southcott wrote in his decision.
