The Canadian federal government will pay $8.7 million to settle a class-action lawsuit tied to a 2020 data breach that compromised the personal and financial information of more than 47,000 Canadians through the Canada Revenue Agency (CRA) MyAccount portal and other government websites. Federal Court Justice Richard Southcott approved the settlement on Tuesday, ruling it "fair, reasonable, and in the best interests of the class as a whole."

What Happened

Throughout 2020, attackers compromised tens of thousands of Canadian government accounts during at least three separate cyberattacks. The breach affected the CRA's MyAccount portal and other federal government login systems during the earliest months of the COVID-19 pandemic. Court filings allege that government and CRA "failings" enabled the intrusions to persist over several months, with the class-action plaintiffs describing the agency's response as "reprehensible." The settlement, reached last December and approved this week, ends a years-long legal battle, with payouts varying based on how individual taxpayers were affected.

What Was Taken

More than 47,000 people had personal and financial information compromised in the summer of 2020 alone. Stolen data included:

Attackers leveraged this data to file fraudulent claims under the Canada Emergency Response Benefit (CERB) and the Canada Emergency Student Benefit (CESB), and to divert legitimate benefit payments to attacker-controlled bank accounts.

Why It Matters

This settlement represents one of the largest acknowledgements of government accountability for a public-sector breach in Canadian history. It establishes a precedent that government agencies can be held financially liable when authentication failures permit large-scale identity theft. For defenders, the case demonstrates how rapidly stood-up emergency benefit programs become high-value targets for fraud, and how credential-based attacks against citizen-facing portals can scale into systemic incidents. The pandemic-era rush to digital services created enduring exposure that adversaries continue to exploit.

The Attack Technique

Public reporting and court filings indicate the attackers relied primarily on credential stuffing, leveraging usernames and passwords harvested from prior third-party breaches and reused on government login systems. Once authenticated, attackers exploited weak account-recovery flows and the absence of robust multi-factor authentication on the GCKey and CRA MyAccount platforms to take over legitimate accounts. With access established, they updated direct-deposit information, redirected pending benefits, and submitted fraudulent CERB and CESB applications using victims' real identifying data. The CRA temporarily suspended online services in August 2020 in response.

What Organizations Should Do

  1. Enforce phishing-resistant MFA on all citizen-facing and employee portals, prioritizing FIDO2/WebAuthn over SMS-based factors.
  2. Monitor for credential stuffing by deploying anomaly detection on login endpoints, rate-limiting authentication attempts, and integrating breached-credential databases (e.g., HIBP) into password validation.
  3. Harden account recovery flows by requiring step-up verification for changes to direct-deposit details, contact information, and recovery email or phone numbers.
  4. Audit benefit and payment systems for account takeover indicators, including bulk banking-detail changes, geolocation anomalies, and rapid claim submissions from newly modified accounts.
  5. Implement transaction-level alerting so users are notified out-of-band whenever sensitive account changes occur, giving victims a chance to detect fraud early.
  6. Plan for breach liability by reviewing incident response, notification, and remediation procedures with legal counsel, given the rising precedent for class-action exposure following identity-data compromises.

Sources: Canadian government to pay $8.7M to settle data breach class-action involving CRA accounts | CBC News