Class action lawsuit launched against federal government over CRA cyberattack

The Federal Court of Canada has certified a class action lawsuit against the federal government, which alleges negligence in “safeguarding the confidential information of Canadians, leading to widespread privacy breaches.”

The suit follows cyberattacks that targeted Canada Revenue Agency accounts and other government services back in 2020.

The plaintiff, Todd Sweet, a retired police officer from B.C., claims that “inadequate safeguards” within several online government portals threw sensitive information in jeopardy, allowing “bad actors” to access the online accounts of Canadians without their consent.

Along with claiming private accounts were breached, Sweet alleges that hackers were able to fraudulently apply for the Canada Emergency Response Benefit (CERB), possibly disqualifying the people in need from receiving the necessary funding.

Sweet is asking the court to order the Canadian government to financially compensate those whose accounts were compromised, as well as issue monitoring services that may be needed to repair the harm imposed.

The allegations made in the lawsuit have not been tested in court. According to the notice of certification, the federal government denies any wrongdoing in the matter.

In August 2020, the CRA temporarily suspended its online services after two cyberattacks compromised thousands of stolen usernames and passwords.

According to the federal government, a total of 11,200 accounts for federal government services were targeted in what was described as "credential stuffing" schemes – a ploy in which hackers use passwords and usernames from other online portals to access Canadians' accounts with the CRA.

• Top headlines on Canadian politics, all in one place

Officials said they first discovered the security breaches on Aug. 7, 2020, but didn’t contact the RCMP until Aug. 11, 2020.

Anyone whose personal or financial information in their Government of Canada Online Account was accessed by an unauthorized third party between March 1 and Dec. 31 of 2020 is automatically included in this class action. Government of Canada Online Accounts include CRA accounts, My Service Canada accounts and any other federal government services that are accessed using GCKey.

Those affected by these security breaches don’t need to do anything to be involved in these class action proceedings, but can choose to opt out of the lawsuit, the notice said.

They can opt out by filling out a form posted on the website of the law firm representing the case.They must do this by Nov. 27.

An opt-out form and email address can also be found at the bottom of the notice of certification.

The notice further explained that damages will be sought for the class as a whole, meaning the judge would determine how any compensation should be divided among affected members.