Canadians could claim up to $5,000 in proposed CRA settlement

Canadians who have online accounts with the Canada Revenue Agency (CRA) and the  Government of Canada could soon cash in on a proposed class-action settlement.

In August 2020, the Canadian government responded to “credential stuffing” attacks mounted on the GCKey service and CRA accounts.

After the cyberattack, Todd Sweet initiated a class action against the CRA and the Government of Canada, alleging that they were “negligent in safeguarding the confidential information of Canadians, leading to widespread privacy breaches.”

In the class-action lawsuit, Sweet claimed that “inadequate safeguards” within several online government portals “allowed bad actors” to access the online accounts of Canadians without their consent.

He also alleged that, in many cases, these bad actors used real accounts to apply for the Canada Emergency Response Benefit (CERB).

Sweet asked the court to order the Government of Canada to pay compensation for the alleged breach of privacy and credit monitoring services that may be needed to repair the harm caused.

In October 2025, both parties reached an agreement on a proposed settlement.

“The Government of Canada, like every other government and private sector organization in the world, faces ongoing and persistent cyber threats,” the Treasury Board of Canada Secretariat shared in a statement on Friday.

It added that the government has provided information regarding the class action and that government departments have also sent out direct notifications to individuals who may have been impacted by the cyberattack.

Who’s eligible for the proposed CRA settlement?

According to a federal government notice, class members are all persons whose personal or financial information in their Government of Canada Online Account was disclosed to a third-party without authorization between March 1, 2020, and Dec. 31, 2020, including Excluded Persons.

“Government of Canada Online Account” means a CRA account, My Service Canada account, or any other account that is accessed by using the Canadian government’s branded credential service, GCKey.

“Excluded Persons” means all persons who contacted Murphy Battista LLP about the CRA privacy breach class action, with Federal Court file number T-982-20, prior to June 24, 2021.

However, the government noted that not all class members will be entitled to payments under the proposed settlement agreement.

According to the notice, only those class members who were victims of the “credential stuffing” attacks directed at Government of Canada Online Accounts between June 15 and Aug. 30, 2020, are eligible for a possible payout. Their personal information needs to have been accessed, or accessed and used for fraudulent purposes, to be entitled to payments.

The notice added that those who received an email from claims administrator KPMG are eligible to apply for a payment under the settlement agreement.

How much money could you receive?

The proposed settlement is still subject to court approval, which is scheduled to take place on March 31, 2026.

If approved, eligible Canadians could receive the following, depending on how they were impacted.

Access claims

If your personal information was accessed (but not used for fraudulent purposes), you could submit an access claim.

This would compensate you for the loss of time and inconvenience incurred (if any) communicating with government officials, law enforcement or credit agencies addressing issues related to the data breach, at a rate of $20 per hour for a maximum of four hours. That means you could claim up to $80.

Fraud claims

If your personal information was accessed and used for fraudulent purposes, you could claim for fraud.

Examples include fraudulent applications made in your name for CERB benefits, CESB benefits and/or EI benefits, or if payments for legitimate CERB, CESB, or EI claims were diverted to an unauthorized bank account.

If this fits your situation, you could be eligible to receive compensation for the loss of time and inconvenience incurred communicating with government officials, law enforcement officials, or credit agencies addressing issues related to the data breach, at a rate of $20 per hour for a maximum of 10 hours. That means you could claim up to $200.

Special compensation fund

If you’ve incurred out-of-pocket expenses relating to the data breach, you’re eligible to apply for reimbursement of up to $5,000.

“Eligible out-of-pocket expenses include unreimbursed fraud losses or charges, professional or other fees incurred in connection with identity theft, and fees or penalties resulting from credit freezes,” explained the government notice.

It added that the precise amount of compensation could be reduced depending on the number of claims made.

What should you do next?

If you’re a class member and you want to participate in the proposed settlement, you don’t need to do anything at the moment.

“You are automatically included as a class member unless you opt out of the applicable proceeding,” reads the notice. “After the court approves the proposed settlement, you will be notified in writing regarding how to apply for compensation.”

To learn more, read the government notice.

You might also like:
• McDonald’s Canada teams up with Expedia to offer diners new travel perks
• Universities struggling as international students skip Canada this year
• New laws and measures coming to Canada in January