Ottawa (Rajeev Sharma): The Federal Court of Canada has officially greenlit an $8.7-million class-action settlement aimed at compensating tens of thousands of Canadians whose sensitive personal information was compromised during a series of cyberattacks on government websites in 2020. Federal Court Justice Richard Southcott approved the agreement on Tuesday, describing the payout as a fair and reasonable outcome for a group of victims that numbers more than 47,000. This legal resolution brings a conclusion to years of litigation following a massive security failure that allowed hackers to infiltrate the Canada Revenue Agency portal and other government services during the height of the COVID-19 pandemic.
The breach, which occurred primarily during the summer of 2020, involved a technique known as credential stuffing, where bad actors used passwords leaked from other websites to gain access to MyAccount CRA profiles. While users are typically required to answer security questions as a second layer of protection, a misconfiguration within the revenue agency’s software allowed hackers to bypass these hurdles entirely. Once inside, many of these accounts were used to file fraudulent claims for pandemic-era financial aid, such as the Canadian Emergency Relief Benefit or the Canadian Emergency Student Benefit, often diverting legitimate funds to external bank accounts.
Under the terms of the new agreement, affected Canadians can claim compensation for the time they spent rectifying the situation and for the inconvenience caused by the breach. Victims are eligible to claim $20 per hour for up to four hours, resulting in a maximum base payout of $80. For those whose identities were actually used to apply for fraudulent benefits or whose legitimate payments were diverted, the maximum claim for lost time increases to $200. Additionally, the settlement provides a provision for individuals who suffered direct financial losses, allowing them to claim up to $5,000 for out-of-pocket costs related to identity theft, such as credit monitoring fees or unauthorized charges.
The lead plaintiff in the case, Todd Sweet of British Columbia, first discovered the breach when he received notifications that his account details had been altered. He found that hackers had changed his direct deposit information and filed multiple relief applications in his name. Despite his and others’ success in securing a settlement, some critics argued the dollar amounts were too low given the mental and financial harm suffered by victims. However, Justice Southcott noted that while the compensation might be inadequate for some, it serves as a reasonable level of restitution for the class as a whole. Any remaining funds from the settlement that go unclaimed will be donated to the Privacy and Access Council of Canada to support future privacy research.
In a statement issued following the court’s approval, the revenue agency declined to speak on the specifics of the litigation but maintained that protecting the personal information of Canadians remains a top priority. The agency pointed to its robust monitoring and detection systems currently in place to address evolving cyber threats. The settlement process will be overseen by the firm KPMG, which has established a dedicated website for class members to file their claims. For the small percentage of victims who objected to the settlement, a window of time remains for them to opt out and pursue individual legal action if they believe their specific damages warrant further litigation.
