Canadian Government Settles 8.7 Million Dollar Class-Action Lawsuit Over CRA Data Breach The federal government will pay 8.7 million dollars to settle a lawsuit involving tens of thousands of Canadians whose sensitive data was stolen during 2020 cyberattacks on the CRA portal. The Canadian federal government has officially agreed to pay 8.7 million dollars to resolve a comprehensive class-action lawsuit. This legal action was initiated by tens of thousands of Canadian citizens whose highly sensitive personal and financial information was compromised or stolen after cybercriminals gained unauthorized access to various government portals. The breach primarily targeted the Canada Revenue Agency (CRA) MyAccount portal, but it also extended to other government services accessed through the GCKey credential system. During the peak of the COVID-19 pandemic in 2020, hackers exploited vulnerabilities in the system to steal social insurance numbers, home addresses, and banking details of more than 47,000 individuals. The scale of the breach highlighted significant gaps in the digital security infrastructure of the state during a period of national crisis.The motive behind these cyberattacks was largely financial opportunism. By infiltrating these accounts, hackers were able to impersonate legitimate citizens to file fraudulent applications for emergency financial aid. Specifically, they targeted the Canadian Emergency Relief Benefit (CERB) and the Canadian Emergency Student Benefit (CESB), diverting funds meant for struggling citizens into the bank accounts of the attackers.The breach occurred through a method known as credential stuffing, where thieves use combinations of usernames and passwords leaked from other websites to gain entry into different platforms. While the CRA usually requires a secondary security question to verify identity, a critical misconfiguration in the agency's credential management software allowed hackers to bypass this layer of protection entirely.The agency only became aware of the vulnerability on August 6, 2020, after a law enforcement partner warned them that the method for bypassing security was being sold on the dark web. The legal battle lasted for several years, with plaintiffs arguing that the government and the CRA exhibited reprehensible failings in their duty to secure taxpayer data.Todd Sweet, a resident of Clinton, British Columbia, served as the lead plaintiff after discovering his own account had been hijacked in July 2020. Sweet noticed that the email address linked to his account had been changed without his consent, and upon logging in, he found that his direct deposit information had been altered and four fraudulent CERB applications had been submitted in his name.This case highlighted the systemic vulnerabilities that existed within the federal government's digital infrastructure during a period of high stress and rapid digital transition. Federal Court Justice Richard Southcott eventually approved the settlement, stating that the agreement was fair, reasonable, and in the best interests of the affected class of people. Despite the payout, the federal government maintains its position that it did nothing wrong and explicitly denies any admission of liability or fault.The settlement serves as a compromise to end the dispute rather than a confession of negligence. Of the total 8.7 million dollars, approximately 6 million dollars has been allocated specifically for the victims whose information was accessed between June 26 and August 18, 2020. The remaining funds are designated for legal fees, administrative costs, and honorariums for key plaintiffs. Eligible claimants can seek compensation for their lost time and the general inconvenience caused by the breach.The settlement allows affected individuals to claim 20 dollars per hour for up to four hours, resulting in a maximum payout of 80 dollars per person. While this amount may seem modest to some, it represents the legal conclusion to a breach that caused significant distress and identity theft concerns for thousands of Canadians. The incident serves as a stark reminder of the ongoing battle between government security measures and increasingly sophisticated cyber-criminal organizations that target public infrastructure