Canadians who use Government of Canada online services such as the Canada Revenue Agency (CRA) “My Account” or other federal digital portals may now be eligible for compensation following a court-approved class-action settlement.
The Federal Court approved the settlement on Tuesday, May 5, 2026, bringing closure to a nationwide class action involving allegations that government online systems failed to adequately protect user data during a large-scale cyberattack. The court found the settlement terms to be fair, reasonable, and in the best interests of affected individuals.
As part of the agreement, the Government of Canada will pay $8.7 million to resolve claims related to unauthorized access to thousands of online accounts during a series of “credential stuffing” attacks.
The case centers on concerns that sensitive personal and financial data stored in government systems was exposed, misused, and in some cases exploited for fraudulent benefit claims.
Background of the CRA and GCKey Data Breach Allegations
What triggered the class action lawsuit
The lawsuit originated after widespread cyberattacks in 2020 targeting Government of Canada digital platforms. These attacks focused on login credentials used for services such as:
- CRA “My Account”
- My Service Canada Account
- GCKey authentication system
Hackers used a method known as credential stuffing, which involves testing stolen username and password combinations from other websites to gain unauthorized access to government accounts.
Following these incidents, plaintiff Todd Sweet filed a class-action lawsuit against the Canada Revenue Agency and the Government of Canada.
He alleged that federal systems lacked sufficient safeguards, which allowed attackers to access sensitive personal data belonging to Canadians.
Allegations made in the lawsuit
According to the claim, government systems were not adequately protected, resulting in unauthorized access to confidential information such as:
- Social insurance numbers
- Home addresses
- Banking information
- Employment and tax records
The lawsuit also alleged that compromised accounts were sometimes used to fraudulently apply for federal emergency benefits, including the Canada Emergency Response Benefit (CERB).
Sweet argued that the government should be held responsible for failing to protect citizen data and should compensate victims for financial losses, identity risks, and time spent resolving issues caused by the breach.
He also requested reimbursement for expenses related to credit monitoring and identity protection services.
Government response to the allegations
The Treasury Board of Canada Secretariat acknowledged that government systems, like all large digital platforms, face constant cyber threats.
Officials noted that security enhancements were implemented following the attacks and that notifications were sent to individuals believed to have been affected.
They also emphasized that public institutions globally continue to face increasing cybersecurity risks due to evolving hacking techniques.
Federal Court Approval of the $8.7 Million Settlement
Court ruling on fairness and compensation
In his ruling, Federal Court Justice Richard Southcott confirmed that the settlement agreement meets legal standards for fairness and adequacy.
He stated that the terms are reasonable and in the best interests of class members, allowing the case to be resolved without further lengthy litigation.
The approval means the federal government will pay $8.7 million to resolve claims from individuals whose accounts were affected.
Who administered the settlement
The settlement is being managed by KPMG, which is responsible for handling claims, verifying eligibility, and distributing payments to approved applicants.
KPMG has also created an official information portal outlining eligibility criteria and instructions for claim submissions.
Who Is Eligible for Compensation
Definition of class members
According to the settlement terms, you may be considered a class member if:
Your personal or financial information in a Government of Canada online account was accessed or disclosed to an unauthorized third party between March 1, 2020, and December 31, 2020.
This includes users of:
- CRA online accounts
- My Service Canada accounts
- Any federal service accessed through GCKey
However, eligibility is further limited based on the specific time period and nature of the breach.
Key eligibility window
Although the broader class period covers March to December 2020, compensation is primarily focused on individuals affected by credential stuffing attacks between June 15 and August 30, 2020.
To qualify for payment, your account must have been:
- Accessed without authorization, or
- Accessed and used fraudulently
This means not all affected individuals will automatically receive compensation.
Excluded individuals
Some individuals are excluded from the settlement, including those who previously contacted legal counsel involved in related litigation before June 24, 2021.
These exclusions are standard in class-action agreements to prevent overlapping claims.
Types of Compensation Available
The settlement provides different categories of compensation depending on the level of impact experienced.
Access Claims: Compensation for Time and Inconvenience
Who qualifies for access claims
You may qualify for an access claim if your account was accessed but not used for fraudulent activity.
This category applies to individuals who experienced unauthorized access without direct financial loss.
How much you can receive
Eligible individuals can claim compensation for time spent addressing issues related to the breach, including:
- Contacting government departments
- Speaking with credit agencies
- Reporting incidents to law enforcement
The compensation rate is $20 per hour, up to a maximum of four hours.
This means the maximum payout for access claims is $80.
Fraud Claims: Higher Compensation for Misuse of Accounts
Who qualifies for fraud claims
Fraud claims apply when your personal information was not only accessed but also used for fraudulent activity.
Examples include:
- Unauthorized CERB applications
- Misuse of Canada Emergency Student Benefit (CESB)
- Fraudulent Employment Insurance (EI) claims
- Diversion of legitimate benefit payments to unauthorized bank accounts
Compensation for fraud victims
Individuals affected by fraudulent activity may claim:
- $20 per hour for time spent resolving issues
- Up to 10 hours total compensation
This results in a maximum payout of $200 for fraud-related claims.
Special Compensation Fund for Financial Losses
Additional reimbursement available
In addition to access and fraud claims, eligible individuals may apply for reimbursement of out-of-pocket expenses up to $5,000.
This category covers more serious financial impacts related to identity theft or fraud.
What expenses may be covered
Eligible costs include:
- Unreimbursed fraud losses
- Fees paid for identity theft protection services
- Professional fees related to fraud resolution
- Costs associated with credit freezes or monitoring
- Bank fees or penalties caused by fraudulent activity
Possible reductions in payouts
The final amount of compensation may be adjusted depending on the total number of claims submitted.
If a large number of individuals apply, payouts may be proportionally reduced to ensure fair distribution of funds.
How to Apply for the Settlement
Automatic inclusion in the class action
Most eligible individuals do not need to take any immediate action.
Class members are automatically included unless they chose to opt out of the lawsuit earlier in the process.
Notification and claim process
Once the claims process opens, eligible individuals will be notified in writing.
These notifications will include instructions on:
- How to confirm eligibility
- How to submit a claim
- Required documentation for fraud or expense claims
KPMG will oversee the full application process and verify submitted claims before issuing payments.
What Canadians Should Do Next
No immediate action required for most users
If you believe you used CRA My Account, GCKey, or other federal online services during the affected period, you do not need to submit anything immediately.
Instead, you should:
- Wait for official notification
- Monitor email and mail for updates from the claims administrator
- Review eligibility instructions when they arrive
Why staying informed matters
Cybersecurity incidents involving government systems often take years to resolve legally.
This settlement represents one of several efforts to compensate individuals affected by large-scale digital breaches.
Even if the financial compensation is modest for many claimants, the case highlights the growing importance of online security and identity protection in government services.
Final Summary of the Settlement
The Federal Court-approved settlement marks the conclusion of a major class-action lawsuit involving alleged privacy failures in Government of Canada online accounts.