Federal government to pay $8.7 million in settlement over CRA and GCKey data breach class action

The federal government will pay $8.7 million to settle a class-action lawsuit involving tens of thousands of Canadians whose personal and financial information was compromised when hackers accessed online government accounts during the early months of the pandemic. The Federal Court has now approved the settlement, bringing a years-long legal battle over the 2020 breaches closer to an end.

The case, known as Sweet v. His Majesty the King, focused on privacy breaches affecting accounts such as the CRA’s My Account portal, My Service Canada Account, and other federal services accessed through GCKey. The certified class covers people who experienced a privacy breach involving those online government accounts between March 1 and December 31, 2020.

Hackers targeted government accounts during the pandemic

The lawsuit arose from a series of cyberattacks in 2020, when hackers accessed government accounts largely to submit fraudulent applications for pandemic benefits such as CERB and CESB. Victims’ personal information — including names, addresses and financial details — was allegedly used to impersonate account holders or redirect legitimate payments.

Court materials tied to the settlement say the attacks included “credential stuffing,” a method in which stolen usernames and passwords from one breach are reused to try to access accounts on other websites. The proposed settlement notice says class members include those whose information was accessed through CRA accounts, My Service Canada Accounts or other GCKey-linked government accounts.

Court approves deal as fair and reasonable

The settlement was first announced by the federal government in December 2025, after the parties reached agreement in October 2025. A settlement approval hearing was scheduled for March 31, 2026, in Federal Court in Vancouver. The court has now approved the deal, with reporting indicating Justice Richard Southcott found the agreement fair, reasonable and in the best interests of the class as a whole.

The federal government has maintained that the settlement is a compromise of disputed claims and is not an admission of liability, wrongdoing or fault.

How compensation will work

According to the official settlement notice, the $8.7 million fund includes compensation for affected class members, along with legal fees, administrative costs and honoraria for representative plaintiffs. The settlement website says class members may be able to claim compensation depending on how they were affected by the breach.

The notice says some claimants can seek payment for lost time and inconvenience, while those whose information was used in fraudulent CERB-related activity may be eligible for additional compensation. It also allows claims for certain out-of-pocket costs linked to identity theft or fraud, subject to the terms of the settlement. Any unclaimed remainder is set to go to the Privacy and Access Council of Canada to support privacy research.

Settlement closes one chapter, but concerns remain

The case began after Canadians reported unauthorized changes to their CRA accounts in 2020, including altered email addresses and direct deposit information. One of the lead plaintiffs, Todd Sweet of Clinton, B.C., said he discovered someone had filed CERB claims in his name after his CRA account was altered. The lawsuit that followed argued the government and CRA failed to properly protect users’ information and did not detect the breaches quickly enough.

Even with the settlement approved, the broader fallout from the breaches remains significant for many affected Canadians. The agreement is designed to provide compensation across the class as a whole, though some victims who believe the amount is inadequate may still weigh whether to remain in the class or pursue other options where permitted under the settlement process.