Class action against Government of Canada advances following 2020 CRA privacy breach

The Federal Court of Canada has certified the class action filed against the Government of Canada over the spate of cyber incidents that took place between March and September 2020 attacking the Canada Revenue Agency (CRA) accounts of over 45,000 Canadians.

The cyber incidents, the government said at the time, used credential stuffing, where passwords and usernames collected from previous hacks in other organizations are entered to access CRA accounts.

The class action suit, which was initiated in August 2020, first requires certification from the Federal Court to determine if the case should, in fact, be dealt with as a class proceeding. To determine that, the court usually sees, among other factors, whether there is an identifiable class (a large group of affected people), an issue common to the class and if there is an appropriate representative plaintiff.

The representative plaintiff, B.C. resident Todd Sweet, claims that he logged into his CRA online account in July 2020 after being notified by email that his direct deposit information has been changed and that, on June 29, 2020, using his account, an unknown and unauthorized individual had made four applications for the Canada Emergency Response Benefit (CERB), a program initiated by the government to provide financial assistance to qualifying Canadians during the COVID-19 pandemic. 

He is, the notice of certification document says, one of a potential class of thousands of people whose online accounts, accessed via the Government of Canada Branded Credential Service Key (GCKey), were vulnerable to hackers.

Of the 48,110 My Account users who were impacted, 12,700 saw the threat actor change the taxpayer’s direct deposit banking information and fraudulently apply for CERB. Employment and Social Development Canada (ESDC) accounts reportedly suffered the greatest impact from the attack.

The class action, hence, alleges that the government has been negligent in safeguarding the confidential information of Canadians, who suffered damages including costs in preventing identity theft, damage to credit reputation, mental distress, monies withdrawn from their bank accounts without their consent, time lost in communication with the CRA, ESDC and other government agencies, and more.

The government denies any wrongdoing.

The plaintiff is asking the court to order the Government of Canada to pay compensation for, among other things, the alleged breach of privacy, and for credit monitoring services that may be required to repair the harm caused.

Every affected person whose government online account was accessed via GCKey between Mar. 1, 2020 and Dec. 31, 2020 is automatically included in this class action.

If a class member wishes to opt-out, they can do so by emailing the class counsel, and no outcome – good or bad, would be applied to them.

The date for the trial has not yet been set.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Ashee Pamma
Ashee Pamma
Ashee is a writer for ITWC. She completed her degree in Communication and Media Studies at Carleton University in Ottawa. She hopes to become a columnist after further studies in Journalism. You can email her at [email protected]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now