Following cyberattacks that targeted CRA accounts and other government services back in 2020, the Federal Court of Canada has certified a class action lawsuit against the and Government of Canada, alleging negligence in “safeguarding the confidential information of Canadians, leading to widespread privacy breaches.”
The plaintiff, Todd Sweet, a retired police officer from B.C., claims that “inadequate safeguards” within several online government portals threw sensitive information in jeopardy, allowing “bad actors” to access the online accounts of Canadians without their consent.
Along with breaching private accounts, Sweet alleges that hackers were able to fraudulently apply for the Canada Emergency Response Benefit, disqualifying the possibility of people in need receiving the necessary funding.
Sweet is asking the court to order the Canadian government to financially compensate those whose accounts were compromised, as well as issue monitoring services that may be needed to repair the harm imposed.
The allegations made in the lawsuit have not been tested in court. According to the notice of certification, the federal government denies any wrongdoing in the matter.
In August of 2020, the CRA temporarily suspended its online services after two cyberattacks which compromised thousands of stolden udernames and passwords.
According to the federal government, a total of 11,200 accounts for federal government services were targeted in what was described as “credential stuffing” schemes – a ploy in which hackers use passwords and usernames from other online portals to access Canadians’ accounts with the revenue agency.
Officials said they first discovered the security breaches on Aug. 7 2020 but didn’t contact the RCMP until Aug. 11, 2020.
Anyone whose personal or financial information in their Government of Canada Online Account was accessed by an unauthorized third party between March 1 and December 31 of 2020 is automatically included in this class action. Government of Canada Online Accounts include CRA accounts, My Service Canada accounts, and any other federal government services that is accessed using GCKey.
Those affected by these security breaches don’t need to do anything to be involved in these class action proceedings, but can choose to opt out of the lawsuit, the notice said.
“If you do not want to be part of the lawsuit, you must notify class counsel by mail or e-mail that you want to opt out at the address below by no later than November 27, 2023,” the notice said.
“If you are a class member and you don’t opt out, you won’t be able to make your own claim against the Government of Canada for any specific individual damages you may have suffered.”
The notice further explained that damages will be sought for the class as a whole, meaning the judge will determine how any such compensation should be divided between affected members.