Federal Court approves $8.7 million settlement over 2020 Canada revenue agency data breaches

In a final resolution to a six-year legal battle, the Federal Court of Canada has approved an $8.76 million class-action settlement between the federal government and tens of thousands of Canadians whose sensitive information was compromised during a series of 2020 cyberattacks.

The agreement, greenlit by Federal Court Justice Richard Southcott on May 5, 2026, addresses a massive security failure that saw hackers infiltrate approximately 47,000 government accounts, including those on the Canada Revenue Agency (CRA) My Account and My Service Canada portals.

A low tech breach with high-stakes consequences

The breaches occurred between March and December 2020, at the height of the COVID-19 pandemic. Attackers used stolen credentials to gain access to unrelated accounts. Once inside, bad actors accessed a treasure trove of personal data, including:

• Social Insurance Numbers (SINs)

• Direct deposit banking information

• Tax records and employment history

In many instances, hackers used these compromised profiles to fraudulently apply for emergency financial aid, such as the Canada Emergency Response Benefit (CERB) and the Canada Emergency Student Benefit (CESB). They also diverted legitimate payments to unauthorized bank accounts.

Tiered payouts for victims

The settlement, which will be administered by KPMG, offers compensation on a tiered basis depending on the severity of the impact:

• Access Claims: Individuals whose data was accessed but not used for fraud can claim $20 per hour for up to four hours of "lost time and inconvenience" (maximum $80).

• Fraud Claims: Victims who suffered fraudulent benefit applications in their names can claim up to $200 for time spent resolving the issue.

• Out-of-Pocket Expenses: All class members are eligible to apply for reimbursement of up to $5,000 for documented financial losses, such as identity theft fees or credit repair costs.

A warning for the AI era

While the settlement marks the end of the legal proceedings, cybersecurity experts warn that the underlying vulnerability remains a critical threat. The CRA breach was not a sophisticated hack but a failure of "basic hygiene," as the agency’s system at the time allowed attackers to bypass additional verification steps.

Experts noted that while the 2020 attacks were "old school," the rise of generative AI in 2026 is supercharging these methods. AI now allows threat actors to correlate leaked datasets and automate credential stuffing at an unprecedented scale, making layered defenses like Multi-Factor Authentication (MFA) non-negotiable for public and private organizations alike.

Any funds remaining from the $8.7 million settlement after all claims are processed will be donated to the Privacy and Access Council of Canada to support ongoing privacy research.