Government to pay $8.7M to Canadians affected by CRA data breach. Here’s how to check if you qualify

The Canadian government will pay $8.7 million to settle a class-action lawsuit stemming from a major cyber attack, and tens of thousands of Canadians could be eligible for compensation.

The settlement relates to a data breach of the Government of Canada websites, including CRA accounts, and was reached last December, before receiving court approval on Tuesday.

Between June and August 2020, hackers targeted federal government accounts, resulting in more than 48,000 Canadians having their personal and financial information compromised, such as social insurance numbers, home addresses and bank account details.

The hackers used the information to apply for financial benefits in the victims’ names, including the Canadian Emergency Relief Benefit (CERB) and the Canadian Emergency Student Benefit (CESB).

Todd Sweet, of Clinton, B.C., initiated the class-action against the CRA and the Government of Canada after discovering his account had been hacked on July 2, 2020. He logged into his CRA account after receiving emails notifying him that changes had been made to his account, and discovered that his direct deposit information had been altered and CERB applications had been filed in his name.

Sweet claimed that the government “breached class members’ privacy by not properly safeguarding confidential personal and financial information” and that the “inadequate safeguards allowed bad actors to access the online accounts of Canadians” without their consent, according to a government notice .

Court filings say that the CRA learned of the breach, which is called a “credential stuffing” attack, on Aug. 6, 2020, after receiving a tip from a law enforcement partner that the hacking method was being sold on the dark web.

The CRA fixed the issue “on or about August 10, 2020,” by which point 48,110 CRA My Accounts had been impacted. Of these, 12,700 accounts had their direct deposit banking information changed and fraudulent CERB applications submitted.

In an email to National Post, a CRA spokesperson said: “The protection of the personal information of Canadians is a priority for the Canada Revenue Agency (CRA) and the Government of Canada. No organization is immune to cyber incidents or fraudulent activity. This is why the CRA has robust systems and tools in place to monitor, detect, investigate and quickly address potential threats.”

Individuals whose information was accessed can claim compensation for lost time and inconvenience at a rate of $20 an hour for up to four hours, for a maximum payout of $80.

However, if hackers used their information to file fraudulent benefit applications or divert legitimate payments, they can bill the government at the same rate for up to 10 hours, resulting in a maximum payout of $200.

Both groups can claim up to $5,000 for out-of-pocket costs related to identity theft incurred within one year of the breach.

“Examples of such out-of-pocket costs include unreimbursed credit charges, professional or other fees incurred in connection with Identity Theft (as defined in the FSA), and fees or penalties resulting from credit freezes,” the court documents state.

Some of the $8.7 million settlement fund will also cover legal fees and special honorariums to Todd Sweet and other key plaintiffs.

In his decision, Federal Court Justice Richard Southcott wrote that the terms of the settlement are “fair, reasonable, and in the best interests of the class as a whole.”

According to the settlement agreement, eligible claimants are those who had their personal data accessed from a Government of Canada online account between June 26 and Aug. 18, 2020. Accounts include the CRA’s ‘My Account’, My Services Canada or any other online account that is accessed using a GCKey.

Professional services firm KPMG is administering the settlement and has set up a dedicated website that allows individuals to check their eligibility.

Those who are eligible to apply for a payment should have already received an email from KPMG.

• 12 million Canadians could get a one-time bonus payment this spring. Here's how to check if you qualify
• It's Canada census time. Can you be jailed for not filling it out?

Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark nationalpost.com and sign up for our daily newsletter, Posted, here.