Key Takeaways
- A proposed class-action settlement may provide compensation to Canadians who had their personal or financial information disclosed to a third-party without authorization between March 1, 2020, and December 31, 2020.
- Eligible Canadians may receive up to $80 for access claims, up to $200 for fraud claims, and up to $5,000 for special compensation for out-of-pocket expenses.
- Class members who were victims of "credential stuffing" attacks directed at Government of Canada Online Accounts between June 15 and August 30, 2020, are eligible for a possible payout.
- The proposed settlement is still subject to court approval, scheduled to take place on March 31, 2026.
Introduction to the Proposed Settlement
The Canadian government has reached a proposed class-action settlement with individuals who had their personal or financial information compromised due to a cyberattack on the Canada Revenue Agency (CRA) and Government of Canada online accounts. The settlement aims to provide compensation to those affected by the breach, which occurred between March 1, 2020, and December 31, 2020. The proposed settlement is the result of a class-action lawsuit initiated by Todd Sweet, who alleged that the CRA and the Government of Canada were negligent in safeguarding the confidential information of Canadians, leading to widespread privacy breaches.
Background of the Cyberattack
In August 2020, the Canadian government responded to "credential stuffing" attacks mounted on the GCKey service and CRA accounts. The attacks allowed bad actors to access the online accounts of Canadians without their consent, and in many cases, these actors used real accounts to apply for the Canada Emergency Response Benefit (CERB). The class-action lawsuit claimed that inadequate safeguards within several online government portals allowed the breach to occur, and that the government was responsible for the alleged breach of privacy. The lawsuit sought compensation for the harm caused and credit monitoring services to repair the damage.
Eligibility for the Proposed Settlement
To be eligible for the proposed settlement, individuals must have had their personal or financial information disclosed to a third-party without authorization between March 1, 2020, and December 31, 2020. This includes individuals with a CRA account, My Service Canada account, or any other account accessed using the Canadian government’s branded credential service, GCKey. However, not all class members will be entitled to payments under the proposed settlement agreement. Only those who were victims of the "credential stuffing" attacks directed at Government of Canada Online Accounts between June 15 and August 30, 2020, are eligible for a possible payout.
Compensation Under the Proposed Settlement
The proposed settlement provides for different types of compensation, depending on the extent of the harm caused. Individuals whose personal information was accessed but not used for fraudulent purposes may submit an access claim, which could provide up to $80 in compensation for the loss of time and inconvenience incurred. Those whose personal information was accessed and used for fraudulent purposes may claim for fraud, which could provide up to $200 in compensation. Additionally, a special compensation fund is available to reimburse individuals for out-of-pocket expenses relating to the data breach, up to $5,000.
Next Steps for Class Members
If you are a class member and want to participate in the proposed settlement, you do not need to take any action at this time. You are automatically included as a class member unless you opt out of the applicable proceeding. After the court approves the proposed settlement, you will be notified in writing regarding how to apply for compensation. To learn more, you can read the government notice, which provides detailed information about the proposed settlement and the eligibility criteria. It is essential to stay informed and follow the instructions provided to ensure that you receive the compensation you are entitled to.
