Canada Proposes Class-Action Settlement for 2020 Credential Stuffing Attacks on Government Accounts
In August 2020, the Canadian government faced credential stuffing attacks targeting the GCKey service and Canada Revenue Agency (CRA) accounts, exposing the personal and financial data of Canadians. The breach prompted a class-action lawsuit filed by Todd Sweet, who alleged that inadequate security measures allowed unauthorized access to government portals, enabling fraudsters to exploit accounts—including filing fraudulent claims for the Canada Emergency Response Benefit (CERB).
A proposed settlement was reached in October 2025, with court approval pending for March 31, 2026. The government acknowledged persistent cyber threats but confirmed that affected individuals would be notified directly.
Eligibility & Compensation
Eligible class members include those whose Government of Canada Online Accounts (CRA, My Service Canada, or GCKey-linked accounts) were accessed without authorization between March 1 and December 31, 2020. However, only victims of the June 15–August 30, 2020 credential stuffing attacks—where data was either accessed or used fraudulently—may qualify for payments.
Compensation varies by impact:
- Access claims: Up to $80 ($20/hour for 4 hours) for time spent addressing the breach.
- Fraud claims: Up to $200 ($20/hour for 10 hours) if personal data was used for fraud (e.g., CERB fraud).
- Special compensation fund: Up to $5,000 for out-of-pocket expenses (e.g., fraud losses, identity theft fees).
Eligible individuals will receive instructions post-approval, with no immediate action required. The final payout amounts may be adjusted based on the number of claims.
Source: https://dailyhive.com/canada/cra-sweet-hmk-settlement
Government of Canada TPRM report: https://www.rankiteo.com/company/government-of-canada
"id": "gov1766174849",
"linkid": "government-of-canada",
"type": "Cyber Attack",
"date": "3/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Canadians with Government of '
'Canada Online Accounts',
'industry': 'Taxation and revenue services',
'location': 'Canada',
'name': 'Canada Revenue Agency (CRA)',
'size': 'Large (national government agency)',
'type': 'Government agency'},
{'customers_affected': 'Canadians with GCKey or related '
'accounts',
'industry': 'Public administration',
'location': 'Canada',
'name': 'Government of Canada',
'size': 'Large (national government)',
'type': 'Government'}],
'attack_vector': 'Compromised credentials',
'customer_advisories': 'Public statements and direct notifications to class '
'members regarding the proposed settlement.',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable and '
'financial information)',
'type_of_data_compromised': ['Personal information',
'Financial information']},
'date_detected': '2020-08-01',
'date_publicly_disclosed': '2020-08-01',
'date_resolved': '2025-10-01',
'description': 'In August 2020, the Canadian government responded to '
"'credential stuffing' attacks mounted on the GCKey service "
'and CRA accounts. The attack led to unauthorized access to '
"Canadians' personal and financial information, with some "
'accounts used to fraudulently apply for the Canada Emergency '
'Response Benefit (CERB). A class-action lawsuit was initiated '
'by Todd Sweet, alleging negligence in safeguarding '
'confidential information. A proposed settlement was reached '
'in October 2025.',
'impact': {'brand_reputation_impact': 'Significant (allegations of '
'negligence)',
'data_compromised': 'Personal and financial information',
'identity_theft_risk': 'High (fraudulent benefit applications)',
'legal_liabilities': 'Class-action lawsuit and proposed settlement',
'operational_impact': 'Unauthorized access to government benefits '
'systems',
'systems_affected': ['CRA accounts',
'My Service Canada accounts',
'GCKey service']},
'initial_access_broker': {'entry_point': 'GCKey service and CRA accounts'},
'investigation_status': 'Settlement proposed (pending court approval)',
'lessons_learned': 'Need for stronger safeguards in government online portals '
'to prevent credential stuffing attacks and unauthorized '
'access to sensitive information.',
'motivation': 'Financial gain (fraudulent CERB applications)',
'post_incident_analysis': {'corrective_actions': 'Proposed settlement '
'includes compensation for '
'affected individuals and '
'potential improvements to '
'security measures.',
'root_causes': 'Inadequate safeguards in '
'government online portals allowing '
'credential stuffing attacks'},
'recommendations': ['Implement multi-factor authentication (MFA) for '
'government online accounts',
'Enhance monitoring and detection of credential stuffing '
'attacks',
'Improve incident response and communication strategies',
'Provide credit monitoring services for affected '
'individuals'],
'references': [{'source': 'Treasury Board of Canada Secretariat'},
{'source': 'Federal Government Notice'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit (T-982-20)',
'regulations_violated': ['Privacy laws (alleged '
'negligence)'],
'regulatory_notifications': 'Direct notifications '
'to impacted '
'individuals'},
'response': {'communication_strategy': 'Direct notifications to impacted '
'individuals and public statements'},
'stakeholder_advisories': 'Government departments sent direct notifications '
'to impacted individuals.',
'title': 'Canada Revenue Agency (CRA) and Government of Canada Credential '
'Stuffing Attack',
'type': 'Credential Stuffing',
'vulnerability_exploited': 'Inadequate safeguards in government online '
'portals'}