The Canadian federal government has agreed to pay $8.7 million to resolve a class-action lawsuit involving numerous citizens whose sensitive data was compromised or stolen by hackers who breached government websites, including the Canada Revenue Agency (CRA) portal.
During several months in 2020, hackers targeted government accounts primarily to apply for financial assistance in the victims’ names amidst the early stages of the COVID-19 pandemic, seeking benefits like the Canadian Emergency Relief Benefit (CERB) and the Canadian Emergency Student Benefit (CESB).
Over 47,000 individuals had their personal and financial details exposed that summer, ranging from social insurance numbers and addresses to bank account information. The settlement for the class-action lawsuit, finalized in December and approved by the court recently, allows affected taxpayers to claim varying amounts based on the impact they experienced.
Federal Court Justice Richard Southcott, endorsing the settlement, described it as fair, reasonable, and in the best interest of the entire affected group. The agreement concludes a prolonged legal battle where victims alleged government and CRA negligence led to at least three cyberattacks within the year. Hackers utilized private data to impersonate victims, submit fraudulent claims under emergency programs, or reroute legitimate claims to different accounts.
Although the CRA refrained from commenting on the case specifics, emphasizing the protection of Canadians’ personal information as a top priority, the agency acknowledged the inevitability of cyber incidents and fraudulent activities. The lead plaintiff, Todd Sweet, discovered unauthorized access to his account in 2020, prompting the revelation of multiple false CERB applications made in his name.
Hackers exploited a technique known as “credential stuffing” to breach victims’ MyAccount CRA profiles, leveraging leaked usernames and passwords from other platforms. This method allowed them to circumvent security questions due to a misconfiguration in the CRA’s credential management software. The breach was rectified after the agency was alerted to the issue by a law enforcement partner.
The settlement allocates a significant portion for individuals whose information was compromised through the “credential stuffing” method across various government websites during a specific period in 2020. Claimants can seek compensation for lost time and inconvenience caused by the breach, with additional provisions for out-of-pocket expenses related to identity theft.
Any remaining or unclaimed settlement funds will be donated by the government to the Privacy and Access Council of Canada for privacy research. While some individuals contested the settlement, citing concerns over the payout amount, they have the option to opt out and pursue independent legal action. Despite potential inadequacies for certain victims, the settlement aims to offer a reasonable level of compensation to the affected class as a whole.