Class Action Suit vs CRA/Government of Canada

Geoff Currier

When you file tax returns on behalf of your clients, both you and they might assume that the information you submit to the Canada Revenue Agency will be protected. It is an unsafe assumption. 

The Backdrop: You’ll recall that back in 2020 there was a serious breach of security at the Canada Revenue Agency. The breach ran from March 1 to December 31, 2020 and impacted some 48,000 accounts. Some of those affected may have been clients of yours. The Office of the Privacy Commissioner estimated in 2024 that there may have been roughly 15,000 additional breaches which went unreported.

Of those accounts which were breached, it’s believed that some 12,700 accounts were used by hackers to fraudulently apply for Canada Emergency Response Benefits (CERB) and other Covid related benefits including E.I.

The Class Action: Subsequently, a class action lawsuit was filed known formally as Sweet v His Majesty the King and less formally called Sweet Class Action. Todd Sweet is the plaintiff and the legal counsel is Rice, Harbutt, Elliot LLP. This is particularly noteworthy as it is the Government itself which is the subject of a class action. They have happened but they are uncommon. The Residential Schools settlement in 2006 is one example. The first nations child welfare case was settled for $23 billion and is the largest ever in Canada. 

This one may mean some cash for some of your clients but before any of them hear ka-ching sounds in their heads, they will need to understand that they stand to gain little in the way of cash compensation. 

Sweet’s suit claims that the Canadian government breached the class members’ privacy by failing to prevent hackers from accessing their online accounts and using that information for such things as fraudulently applying for CERB payments. The Government denies any wrongdoing. Nevertheless, a settlement has been reached.

Your clients should have received a notification about the class action suit but while they have a right to know about the breach and the case, they may not qualify for a settlement. An “Approval Hearing” will take place in Federal Court in Vancouver on March 31 to determine if the fees and disbursements being sought are “fair and reasonable”. 

Who’s Eligible: As for what constitutes eligibility in this suit, your clients will first have to know that their government accounts were compromised. Those accounts include their CRA account, a Service Canada account or another Government of Canada account which is accessed using a GCKey.

The criteria for eligibility for compensation gets stricter the further into the fine print one delves. Only those people whose accounts were hacked during what is called the Credential Stuffing Attack between June 15 and August 30, 2020 will qualify. 

If you have a client who wished to file an individual claim, they were to have opted out of the class action. They should also have opted out if their information was not accessed or if they were not a part of the Credential Stuffing Attack. The deadline for opting out has passed.

How Much You Can Get: Under the settlement proposal, those whose accounts were accessed but not used for fraudulent purposes may receive $20 per hour for the time used in communicating with government officials, law enforcement or credit agencies. However, it maxes out at $80.00.

If your client’s information was used for fraudulent purposes, they will be eligible for compensation of $20 per hour for time and inconvenience up to a maximum of ten hours or $200.00.

There is also a Special Compensation Fund which is for those clients who were out of pocket for unreimbursed fraud losses or charges, professional fees connected with identity theft or any fees or penalties they incurred from credit freezes. That ceiling is much higher at $5,000.00. The final amounts may vary depending on the number of participants. 

The Problem of Privacy: The big picture is that Canadians must be wary of any potential identity theft. Last year it was reported that some 28,000 employees at B.C.’s Interior Health Authority had their personal information hacked. In 2024, an unsealed affidavit revealed that CRA had paid out $37 million in bogus tax rebates. (both stories broken by CBC)

According to a report by the Office of the Privacy Commissioner, more than 309,000 individuals were affected by government institution breaches of privacy in 2024-2025. 

Private enterprises are not immune to data breaches. The Equifax breach of 2017 cost that company $575 million in compensation and penalties. Google has also been hacked, potentially impacting nearly 2 billion people.

With advances in AI, protecting our privacy is becoming an even greater challenge. As consumers we can take certain steps to limit the amount of personal information we surrender to private interests. However, when it comes to dealing with government agencies, we are left with no choice. We must provide our information to CRA.

The Bottom Line: The best advice you can give your clients is to have them stay on top of their My Account, as well as their banking and credit card statements to be certain they are not being defrauded.