Ottawa will pay out millions after a federal court approved an $8.7 million class action settlement tied to a 2020 cyberattack that exposed tens of thousands of Canadians’ tax and benefits accounts.Blacklock's Reporter says Federal Court Justice Richard Southcott signed off on the $8,760,501 deal, ruling the terms were fair and in the best interests of affected claimants. Individual payouts are expected to range from $80 to $5,000, with the total including legal fees.The breach occurred at the height of pandemic relief spending, when hackers gained access to 48,110 Canada Revenue Agency “My Account” profiles and another 5,947 “My Service Canada” accounts tied to Employment Insurance, Canada Pension Plan and Old Age Security payments. Investigators found attackers often redirected direct deposit information to siphon off government benefits.Court records show the breach stemmed from a flaw in the Canada Revenue Agency’s credential management system, allowing attackers to bypass security questions. The vulnerability was flagged to officials on August 6, 2020, after law enforcement warned that the exploit was being sold on the dark web..Despite the magnitude of the breach, federal officials initially downplayed the incident. At the time, acting chief information officer Marc Brouillard insisted safeguards were working because fraudulent transactions were detected.The court found warning signs appeared earlier. By July 2020, the agency was already seeing large volumes of failed login attempts, a red flag associated with hacking attempts, according to evidence cited in the ruling.Justice Southcott acknowledged not all compromised accounts contained highly sensitive data, but confirmed some hackers accessed social insurance numbers, banking details and other personal information.The case was led by Todd Sweet, a retired police officer from Clinton, B.C., who discovered his account had been used to fraudulently claim four $2,000 pandemic benefit payments diverted to another bank account.In response to the breach, the federal government locked roughly 800,000 online accounts in an effort to contain further unauthorized access, according to statements made in Parliament in 2021 by then-revenue minister Diane Lebouthillier.
