Federal Government Agrees to $8.7M Payout Over 2020 CRA Hack
Canada's federal government has agreed to an $8.7 million settlement to resolve a class-action lawsuit tied to one of the most significant cyberattacks on Canadian public services in recent memory — a 2020 breach that saw hackers infiltrate government websites and compromise the sensitive personal data of tens of thousands of Canadians.
The settlement, filed in Federal Court, covers victims whose accounts on government platforms — including the Canada Revenue Agency's My Account portal — were accessed, locked, or drained of funds by malicious actors exploiting stolen credentials.
What Happened in the 2020 Breach
The attacks occurred during a chaotic stretch of the COVID-19 pandemic, when Canadians were relying heavily on federal digital services to access emergency benefits like CERB. Hackers used a technique called "credential stuffing" — feeding previously leaked username and password combos into government login pages — to break into thousands of accounts.
Once inside, some bad actors changed direct deposit details to redirect government payments, including CERB and GST/HST refunds, to their own bank accounts. Others simply accessed personal data including Social Insurance Numbers, tax records, and addresses.
The Treasury Board Secretariat and the CRA were among the agencies affected. The government temporarily suspended online access to several services in the immediate aftermath as they worked to contain the breach.
Who's Covered by the Settlement
The class action was brought on behalf of Canadians who had their accounts compromised, locked out, or otherwise affected by the breach. That includes people who had money redirected from their accounts and those who faced the stress and consequences of having sensitive government-held data exposed.
The $8.7 million fund will be distributed among class members, though individual payouts will depend on the total number of valid claims filed and the nature of each person's loss.
Class members who believe they were affected should watch for official notice of the claims process, which will outline how to register and what documentation may be required.
Bigger Questions About Government Cybersecurity
The settlement doesn't just put dollars on the table — it puts a spotlight back on the vulnerabilities in Canada's federal digital services. Critics have long argued that the government's online infrastructure is under-resourced and slow to adopt modern security practices like multi-factor authentication.
The 2020 breach was a wake-up call. In the years since, the CRA has added additional verification steps and strengthened its fraud detection. But cybersecurity experts have repeatedly warned that federal digital services remain attractive targets, particularly as more Canadians move to managing their taxes, benefits, and identity documents entirely online.
For the thousands of Canadians still dealing with the fallout from identity exposure — including the anxiety of knowing their SIN and financial details circulated among bad actors — $8.7 million divided among a large class may feel like a modest result. But the legal outcome does establish that the government bears real accountability when its systems fail to protect citizen data.
Source: CBC News. Read the original report.
