The Canadian government has agreed to pay $8.7 million to settle a class-action lawsuit stemming from a significant cyber attack on government websites, including Canada Revenue Agency (CRA) accounts. Tens of thousands of Canadians may be eligible for compensation under this settlement, which received court approval on Tuesday after being reached last December.
What is the Class-Action Lawsuit About?
Between June and August 2020, hackers targeted federal government accounts, compromising the personal and financial information of more than 48,000 Canadians. The stolen data included social insurance numbers, home addresses, and bank account details. The cybercriminals used this information to apply for financial benefits in the victims' names, such as the Canadian Emergency Relief Benefit (CERB) and the Canadian Emergency Student Benefit (CESB).
The lawsuit was initiated by Todd Sweet of Clinton, British Columbia, who discovered his account had been hacked on July 2, 2020. After receiving emails about changes to his account, he logged in and found that his direct deposit information had been altered and fraudulent CERB applications had been submitted in his name. Sweet alleged that the government breached class members' privacy by failing to properly safeguard confidential information, allowing unauthorized access to online accounts.
Court filings reveal that the CRA learned of the breach, described as a "credential stuffing" attack, on August 6, 2020, after a law enforcement partner reported that the hacking method was being sold on the dark web. The CRA resolved the issue by August 10, 2020, but by then, 48,110 CRA My Accounts had been impacted. Of these, 12,700 accounts had their direct deposit banking information changed, and fraudulent CERB applications were submitted.
How Much Money Could Canadians Get?
Individuals whose information was accessed can claim compensation for lost time and inconvenience at a rate of $20 per hour for up to four hours, resulting in a maximum payout of $80. However, if hackers used their information to file fraudulent benefit applications or divert legitimate payments, they can bill the government at the same rate for up to 10 hours, for a maximum payout of $200.
Both groups can claim up to $5,000 for out-of-pocket costs related to identity theft incurred within one year of the breach. Examples of such costs include unreimbursed credit charges, professional or other fees incurred in connection with identity theft, and fees or penalties resulting from credit freezes.
How to Check if You Qualify
Canadians who believe they were affected by the breach should monitor official communications from the CRA or the settlement administrator. The settlement provides a process for submitting claims, and eligible individuals will need to provide documentation to support their claims. Further details on how to apply will be made available through official channels.
