Canadians can soon claim up to $5,000 in CRA data breach settlement
Canadians who have Government of Canada online accounts, including the Canada Revenue Agency (CRA) “My Account,” could be eligible to cash in on an approved class-action settlement.
The settlement for the nationwide class action involving the alleged privacy breach of Government of Canada online accounts was approved by the Federal Court on Tuesday, May 5, 2026.
In the decision, Federal Court Justice Richard Southcott wrote that the terms of the settlement are “fair, reasonable, and in the best interests of the class as a whole.”
This means the federal government will need to pay $8.7 million to settle the class action involving tens of thousands of impacted Canadians.
What is the class action about?
Wandering views/Shutterstock
In August 2020, the Canadian government responded to “credential stuffing” attacks mounted on the GCKey service and CRA accounts.
After the cyberattack, Todd Sweet initiated a class action against the CRA and the Government of Canada, alleging that they were “negligent in safeguarding the confidential information of Canadians, leading to widespread privacy breaches.”
In the class-action lawsuit, Sweet claimed that “inadequate safeguards” within several online government portals “allowed bad actors” to access the online accounts of Canadians without their consent. Hackers had access to personal and financial information, including social insurance numbers, addresses, and banking details.
He also alleged that, in many cases, these bad actors used real accounts to apply for the Canada Emergency Response Benefit (CERB).
Sweet asked the court to order the Government of Canada to pay compensation for the alleged breach of privacy and credit monitoring services that may be needed to repair the harm caused.
In December 2025, both parties reached an agreement on a proposed settlement.
“The Government of Canada, like every other government and private sector organization in the world, faces ongoing and persistent cyber threats,” the Treasury Board of Canada Secretariat shared in a statement at the time.
They added that the government provided information regarding the class action and that government departments also sent out direct notifications to individuals who may have been impacted by the cyberattack.
Who’s eligible for the CRA settlement?
KPMG, which is administering the settlement, shared details for eligibility on a dedicated website.
“You are a Class Member if your personal or financial information in a Government of Canada Online Account was disclosed to a third party without authorization between March 1, 2020, and Dec. 31, 2020, including those defined as ‘Excluded Persons,'” reads the site.
Government of Canada online accounts include a CRA account, My Service Canada account, and any other Government of Canada online account accessed using GCKey.
“Excluded Persons” means all persons who contacted Murphy Battista LLP about the CRA privacy breach class action, with Federal Court file number T-982-20, prior to June 24, 2021.
KPMG noted that not all class members will be entitled to payments under the settlement agreement.
According to a federal government notice, only those class members who were victims of the “credential stuffing” attacks directed at Government of Canada Online Accounts between June 15 and Aug. 30, 2020, are eligible for a possible payout. Their personal information needs to have been accessed, or accessed and used for fraudulent purposes, to be entitled to payments.
The notice added that those who received an email from claims administrator KPMG are eligible to apply for a payment under the settlement agreement.
How much money could you get?
Vergani Fotografia/Shutterstock
KPMG has yet to update its site with details about how the payments will be distributed or when the claim deadline is.
Depending on how you were impacted, here’s how much you could claim:
Access claims
If your personal information was accessed (but not used for fraudulent purposes), you could submit an access claim.
This would compensate you for the loss of time and inconvenience incurred (if any) communicating with government officials, law enforcement or credit agencies addressing issues related to the data breach, at a rate of $20 per hour for a maximum of four hours. That means you could claim up to $80.
Fraud claims
If your personal information was accessed and used for fraudulent purposes, you could claim for fraud.
Examples include fraudulent applications made in your name for CERB benefits, CESB benefits and/or EI benefits, or if payments for legitimate CERB, CESB, or EI claims were diverted to an unauthorized bank account.
If this fits your situation, you could be eligible to receive compensation for the loss of time and inconvenience incurred communicating with government officials, law enforcement officials, or credit agencies addressing issues related to the data breach, at a rate of $20 per hour for a maximum of 10 hours. That means you could claim up to $200.
Special compensation fund
If you’ve incurred out-of-pocket expenses relating to the data breach, you’re eligible to apply for reimbursement of up to $5,000.
“Eligible out-of-pocket expenses include unreimbursed fraud losses or charges, professional or other fees incurred in connection with identity theft, and fees or penalties resulting from credit freezes,” explained the government notice.
It added that the precise amount of compensation could be reduced depending on the number of claims made.
What should you do next?
Class members who want to participate in the settlement didn’t have to do anything.
“You are automatically included as a class member unless you opt out of the applicable proceeding,” reads the government’s notice. “After the court approves the proposed settlement, you will be notified in writing regarding how to apply for compensation.”
To learn more, read the government notice and visit the settlement site.