A sign is pictured in front of the Canada Revenue Agency (CRA) national headquarters in Ottawa, Ontario, Canada March 13, 2017. REUTERS/Chris Wattie/File Photo
The federal government has agreed to pay $8.7 million to settle a class-action lawsuit launched after tens of thousands of Canada Revenue Agency accounts were compromised in a 2020 cyberattack.
The settlement stems from a data breach during the COVID-19 pandemic, when many Canadians were using CRA online accounts to access emergency benefits and tax services. Cybercriminals used stolen usernames and passwords from unrelated data breaches to try to access government accounts where people had reused the same login information, in a tactic called “credential stuffing.”
People affected by the breach can apply for compensation if benefits were fraudulently claimed in their names, or if they suffered other losses tied to unauthorized access to their accounts.
The settlement was initially agreed upon last December and was approved in court on May 5, ending a six-year legal battle. The court did not find CRA negligent or legally at fault.
Justice Richard Southcott said the settlement was “in the best interests of the class as a whole.” He noted, however, that some class members may have preferred to pursue their own lawsuits. People wishing to opt out of the settlement had until Feb. 20 to notify claims administrator KPMG.
The CRA did not respond to a request for comment. In a statement last year after the settlement was proposed, the agency called it a “compromise” and denied wrongdoing.
The class action was brought in 2020 by B.C. resident Todd Sweet as a representative plaintiff on behalf of thousands of Canadians whose CRA and GCKey accounts were allegedly compromised.
According to the court decision, attackers tried to access 48,110 CRA accounts. In 21,860 cases, the attackers appeared to have stopped after checking whether the usernames and passwords worked.
The plaintiffs alleged the CRA failed to properly secure its online authentication systems against such attacks. In some cases, attackers were able to bypass security questions due to system configuration issues, court records show.
About $6 million of the $8.7 million settlement is allocated for direct compensation to affected class members. That is intended to cover claims related to unauthorized account access, time spent resolving account issues, eligible out-of-pocket losses, and fraud-related impacts.
Payouts vary depending on the extent of harm. Those whose accounts were only accessed may receive about $80, while those whose information was used in fraud may receive about $200, and claimants with documented financial losses may be eligible for up to $5,000.
The remaining funds, roughly $2.7 million, will go toward class counsel legal fees, settlement administration costs, taxes, and honorariums for representative plaintiffs.
In a statement after the breach in 2020, the Treasury Board reminded Canadians to always use a unique password for each online account, never reuse the same password for different systems and applications, and regularly monitor all online accounts for suspicious activity.