The federal government will pay $8.7 million to settle a class-action lawsuit involving tens of thousands of Canadians whose sensitive information was compromised or stolen when hackers got into their accounts on government websites, including the Canada Revenue Agency (CRA) portal.

Hackers targeted government accounts over several months in 2020 largely for the purpose of applying for financial aid in the victims’ names during the earliest months of the COVID-19 pandemic, including the Canadian Emergency Relief Benefit (CERB) or the Canadian Emergency Student Benefit (CESB). 

More than 47,000 people had their personal and financial information compromised that summer alone, from social insurance numbers and home addresses to details of their bank accounts.

The class-action settlement reached last December was approved in court on Tuesday. Some taxpayers can claim more than others, depending on how they were affected.

“I find that the proposed settlement is fair, reasonable, and in the best interests of the class as a whole,” Federal Court Justice Richard Southcott wrote in his decision.

The agreement brings to an end a years-long legal battle, in which victims claimed government and CRA “failings” allowed at least three cyberattacks over the course of the year. Court filings said hackers used private information to impersonate victims, file fraudulent claims under the emergency programs or divert authentic claims to other bank accounts.

The CRA did not respond to a request for comment by deadline, but released a statement about the settlement when it was proposed last December.

“The … settlement is a compromise of disputed claims and is not an admission of liability or wrongdoing or fault by any of the defendants,” it read. “The Government of Canada denies that it did anything wrong.”

Court heard the lead plaintiff, Todd Sweet of Clinton, B.C., discovered his account had been hacked in July 2020 after he received emails notifying him the email address associated with his account had been changed. He logged into the CRA’s online portal to find someone had changed his direct deposit information and filed four applications for CERB in his name.

The next month, the CRA temporarily shut down its online services after other Canadians shared similar stories online. The lawsuit was filed in B.C. weeks later, claiming the agency’s failure to properly secure the website or more quickly detect the breach “reprehensible and showed a callous disregard for the rights of [victims].”

Hackers used logins repeated elsewhere

Hackers got into the victims’ MyAccount CRA profiles through what cybersecurity experts call “credential stuffing,” a scheme in which thieves use usernames and passwords leaked from one website to login to another. (The method is one of the reasons why users are encouraged to create strong, unique passwords for each of their online accounts rather than recycling login information.)

Typically, the correct username and password are only the first step to log in to the CRA’s MyAccount portal — users usually need to answer a security question as Step 2. But during the breach in the summer of 2020, Southcott previously wrote, hackers were “able to bypass the security questions … because of a misconfiguration in CRA’s credential management software.”

Court filings said the CRA found out about the problem on Aug. 6, 2020, when a “law enforcement partner” alerted officials that someone was selling the method on the dark web. Southcott said the agency fixed the issued four days later, “among other steps taken to respond to the data breach.”

Hackers used the same scheme that summer to get into My Service Canada Accounts and other online government accounts accessed with the Government of Canada branded credential service key, known as GCKey.

Roughly $6 million of the $8.7 million settlement has been set aside for Canadians whose information was accessed from all of those government websites with the “credential stuffing” method between between June 26 and Aug. 18, 2020. The rest of the settlement covers legal fees, special honorariums for key plaintiffs — including Sweet — and administrative costs. 

People whose personal information was accessed in the relevant time period can claim $20 an hour for their lost time and “inconvenience,” for up to four hours – a maximum payout of $80. If hackers used their information to apply for fraudulent CERB benefits or divert legitimate CERB payments, they can bill the government at the same rate up to $200.

The settlement will be administered by KPMG, which created a website for the class action.

Both groups can claim up to $5,000 for out-of-pocket costs they might have paid in the year after the hack in relation to identity theft, like credit card charges or other fees.

If there’s any money from the settlement amount left over or left unclaimed, it won’t stay with the government: Ottawa agreed to donate any excess to the Privacy and Access Council of Canada to fund privacy research.

Twenty-nine people — far less than one per cent of the class — objected to the settlement for various reasons, though the ruling said most disapproved because they believed the dollar amount was too low. Southcott said those people have a period of time to opt out of the class action, which would allow them to file a lawsuit on their own if they wished.

In his decision, Southcott acknowledged the settlement might “be wholly inadequate” for some victims, “particularly those who allege that they have suffered significant mental, physical, and financial harm.” Still, he said the deal is meant to provide “a reasonable level of compensation” for the class as a whole.