Ottawa is bracing for a multi-million-dollar bill after reaching a settlement in a class action lawsuit tied to the 2020 hacking of tens of thousands of federal taxpayer accounts, the Treasury Board confirmed.Blacklock's Reporter says the settlement covers a security breach that exposed 54,057 online government accounts, including 48,110 Canada Revenue Agency My Account profiles and 5,947 My Service Canada Accounts used to access Employment Insurance, Canada Pension and Old Age Security benefits. Final costs will be disclosed once the terms are filed with a federal judge for approval.Treasury Board officials said affected account holders were notified at the time and acknowledged that cyber threats remain a constant risk for governments and private organizations alike. Hackers who gained access to the accounts frequently altered direct deposit information, diverting benefit payments into their own bank accounts.Federal Court Justice Richard Southcott previously ruled that attackers were able to bypass security questions because of a misconfiguration in the Canada Revenue Agency’s credential management software. .The agency became aware of the vulnerability on Aug. 6, 2020, after being alerted by a law enforcement partner that the exploit was being sold on the Dark Web.While the total value of claims has not been made public, court records show that maximum compensation payments of up to $5,280 per claimant could push the total payout as high as $285.4 million.At the time of the breach, the Canada Revenue Agency sought to downplay the scope of the incident. Acting chief information officer Marc Brouillard told reporters the agency processes thousands of transactions daily and insisted the system functioned as intended by detecting fraudulent activity.Class action lawyers disputed that claim, telling the court the agency was aware weeks earlier that its My Account portal was experiencing unusually high numbers of failed login attempts, a known warning sign of hacking activity.Southcott acknowledged that not all compromised accounts contained sensitive data but said hackers did obtain access in some cases to Social Insurance Numbers, banking information and other personal details..The lead plaintiff in the case is Todd Sweet, a retired New Westminster police constable from Clinton, B.C., who said his CRA account was used in July 2020 to fraudulently claim four $2,000 pandemic relief payments that were redirected to an unknown bank account.In response to the breach, Revenue Minister Diane Lebouthillier later told Parliament the agency locked roughly 800,000 online accounts to stem further identity theft, describing the move as a precautionary measure to prevent additional unauthorized access.
