The Federal Court of Canada has certified the class action filed against the Government of Canada over the spate of cyber incidents that took place between March and September 2020 attacking the Canada Revenue Agency (CRA) accounts of over 45,000 Canadians.
The cyber incidents, the government said at the time, used credential stuffing, where passwords and usernames collected from previous hacks in other organizations are entered to access CRA accounts.
The class action suit, which was initiated in August 2020, first requires certification from the Federal Court to determine if the case should, in fact, be dealt with as a class proceeding. To determine that, the court usually sees, among other factors, whether there is an identifiable class (a large group of affected people), an issue common to the class and if there is an appropriate representative plaintiff.
The representative plaintiff, B.C. resident Todd Sweet, claims that he logged into his CRA online account in July 2020 after being notified by email that his direct deposit information has been changed and that, on June 29, 2020, using his account, an unknown and unauthorized individual had made four applications for the Canada Emergency Response Benefit (CERB), a program initiated by the government to provide financial assistance to qualifying Canadians during the COVID-19 pandemic.
He is, the notice of certification document says, one of a potential class of thousands of people whose online accounts, accessed via the Government of Canada Branded Credential Service Key (GCKey), were vulnerable to hackers.
Of the 48,110 My Account users who were impacted, 12,700 saw the threat actor change the taxpayer’s direct deposit banking information and fraudulently apply for CERB. Employment and Social Development Canada (ESDC) accounts reportedly suffered the greatest impact from the attack.
The class action, hence, alleges that the government has been negligent in safeguarding the confidential information of Canadians, who suffered damages including costs in preventing identity theft, damage to credit reputation, mental distress, monies withdrawn from their bank accounts without their consent, time lost in communication with the CRA, ESDC and other government agencies, and more.
The government denies any wrongdoing.
The plaintiff is asking the court to order the Government of Canada to pay compensation for, among other things, the alleged breach of privacy, and for credit monitoring services that may be required to repair the harm caused.
Every affected person whose government online account was accessed via GCKey between Mar. 1, 2020 and Dec. 31, 2020 is automatically included in this class action.
If a class member wishes to opt-out, they can do so by emailing the class counsel, and no outcome – good or bad, would be applied to them.
The date for the trial has not yet been set.