$8.7M CRA Data Breach Class Action Settlement, 47,000 Canadians May Qualify for Up to $5,000

The federal government will pay $8.7 million to settle a class action lawsuit involving tens of thousands of Canadians whose sensitive information was compromised when hackers got into their accounts on government websites, including the Canada Revenue Agency portal. If you had a CRA My Account, My Service Canada account, or any government online account accessed through GCKey between March and December 2020, you may be entitled to a payment — and the court just approved this settlement two days ago.

Quick Facts: Sweet v. His Majesty the King, Federal Court File No. T-982-20

Field	Detail
Settlement Amount	$8.7 million
Claim Deadline	TBD — KPMG will notify eligible claimants after final approval; check breachsettlementcanada.kpmg.ca
Who Qualifies	Canadians whose Government of Canada online account information was accessed without authorization between March 1 – December 31, 2020
Payout Per Person	Up to $80 (access only); up to $200 (fraud); up to $5,000 (documented out-of-pocket losses)
Proof Required	Yes — for Special Compensation Fund claims up to $5,000
Settlement Status	Finally Approved — May 5, 2026
Administrator	KPMG, 1-833-724-6160 or [email protected]
Official Website	breachsettlementcanada.kpmg.ca
Class Counsel	Rice Harbut Elliott LLP — [email protected]
Last Updated	May 7, 2026

What Is the CRA Data Breach Lawsuit About? Sweet v. His Majesty the King, No. T-982-20

In the summer of 2020, hackers targeted tens of thousands of Canadians through their federal government online accounts. In the first months of the COVID-19 pandemic, hackers were able to access 47,000 online government accounts, allowing them to apply for emergency benefits, including the Canadian Emergency Relief Benefit (CERB) or the Canadian Emergency Student Benefit (CESB). The victims’ social insurance numbers, direct deposit banking information, tax information, dates of birth, records of employment, information regarding employment insurance, and other benefits information were exposed.

It is alleged in the lawsuit that several failings by the government and the CRA allowed at least three cyberattacks to take place between mid-March and mid-August 2020, and that news of the attacks was not publicly disclosed until CBC News broke the story in August.

The lead plaintiff, Todd Sweet of Clinton, B.C., discovered his account had been hacked in July 2020 after receiving emails notifying him that the email address associated with his account had been changed. When he logged into the CRA’s online portal, someone had changed his direct deposit information and filed four applications for CERB in his name. Sweet filed the class action in Federal Court in Vancouver in August 2020, alleging the government was negligent in safeguarding Canadians’ confidential information.

On May 5, 2026, Federal Court Justice Richard Southcott approved the settlement, writing that the terms are “fair, reasonable, and in the best interests of the class as a whole.” The Government of Canada denies wrongdoing. This kind of data breach compensation case — where a government or large institution failed to protect personal data — is increasingly common, similar to how institutions in other countries have faced accountability for personal data stolen in cyberattacks. The case was handled by the Federal Court of Canada under its jurisdiction over claims against the Crown, based on negligence and breach of privacy obligations.

Related article: Nintendo Class Action Lawsuit, Gamers Say the Company Collected Tariff Costs Twice

Do You Qualify for the CRA Settlement?

This is the most important thing to understand: not every Canadian who had a government online account qualifies for a cash payment. The settlement distinguishes between who is a class member and who is entitled to a payout.

You are a class member if:

• Your personal or financial information in a Government of Canada Online Account was disclosed to a third party without authorization between March 1, 2020, and December 31, 2020
• Your account was a CRA “My Account,” My Service Canada account, or any other Government of Canada online account accessed using GCKey

You may be entitled to a payment only if:

• Your information was accessed during the specific Credential Stuffing Attacks directed at Government of Canada Online Accounts between June 15 and August 30, 2020, and your personal information was accessed, or accessed and used for fraudulent purposes
• You received an email notification from KPMG — that email confirms you are eligible to apply for a payment

You are likely NOT eligible for a payment if:

• Your account breach happened outside the June 15 – August 30, 2020 credential stuffing attack window, even if it was within the broader March–December 2020 class period
• Your account was accessed but your information was not actually compromised or used
• You opted out of the settlement before the February 20, 2026 deadline

Not sure if you qualify? You can check your eligibility directly at breachsettlementcanada.kpmg.ca using your last name, last 3 digits of your SIN, and email address.

For Canadians who have faced other data privacy situations, the AT&T data breach settlement is an example of how identity theft lawsuits work when personal data is accessed without consent and used fraudulently — the legal framework here mirrors that approach at the federal level in Canada.

How Much Can You Get from the CRA Settlement?

Your payout depends entirely on what happened to your account. There are three tiers.

Access Claim — up to $80

If your personal information was accessed but not used for fraudulent purposes, you can claim compensation for loss of time and inconvenience incurred communicating with government officials, law enforcement, or credit agencies — at a rate of $20 per hour for a maximum of four hours.

Fraud Claim — up to $200

If your personal information was accessed and used for fraudulent purposes — for example, if fraudulent applications were made in your name for CERB, CESB, or EI benefits, or if legitimate payments were diverted to an unauthorized bank account — you can claim $20 per hour for a maximum of 10 hours.

Special Compensation Fund — up to $5,000

The Special Compensation Fund covers out-of-pocket expenses related to the breach, including unreimbursed fraud losses or charges, professional or other fees incurred in connection with identity theft, and fees or penalties resulting from credit freezes. This tier requires documentation. You need receipts, professional invoices, or records showing the actual money you lost or spent as a direct result of the breach.

One critical point: amounts may be reduced depending on the number of claims submitted. The more Canadians who file valid claims, the smaller each individual payment may be on a pro-rata basis.

How to File Your CRA Settlement Claim

The settlement was finally approved on May 5, 2026. KPMG has not yet published the claim form or confirmed the claim deadline as of today. Here is exactly what to do right now.

Step 1 — Visit breachsettlementcanada.kpmg.ca and check your eligibility using your last name, the last 3 digits of your SIN, and your email address.

Step 2 — Check the email address associated with your government online account. Those who received an email from claims administrator KPMG are eligible to apply for a payment. Check your spam folder — this notice may have been filtered.

Step 3 — Once KPMG publishes the claim form (expected shortly after final approval), complete it online or by mail. For the Special Compensation Fund, gather your documentation now: receipts for credit monitoring services, professional fees, bank letters, fraud-related charges.

Step 4 — Contact KPMG directly if you believe you qualify but have not received an email: call 1-833-724-6160 or email [email protected].

Step 5 — Contact class counsel Rice Harbut Elliott LLP at [email protected] if you have legal questions about your eligibility or whether the settlement terms apply to your situation.

Step 6 — Watch for written instructions from KPMG after final approval. If you are a class member and do nothing now, you remain automatically included. After the court approves the settlement, you will receive instructions on how to apply for compensation.

Estimated time to complete: 10–15 minutes for standard claims. More time required if gathering documentation for the Special Compensation Fund.

Important Dates & Deadlines

Milestone	Date
Data Breach Period (Class Period)	March 1 – December 31, 2020
Credential Stuffing Attacks (Payment Eligibility Window)	June 15 – August 30, 2020
Class Action Filed in Federal Court, Vancouver	August 24, 2020
Class Certified by Federal Court	August 25, 2022
Settlement Reached Between Parties	December 2025
Notice Period Began	December 22, 2025
Opt-Out / Objection Deadline (CLOSED)	February 20, 2026
Final Approval Hearing	March 31, 2026
Final Approval Granted by Justice Southcott	May 5, 2026
Claim Form Release	TBD — KPMG to announce post-approval
Claim Filing Deadline	TBD — KPMG to confirm
Expected Payment Date	TBD — pending claim period completion

Frequently Asked Questions

Is there a class action settlement against the CRA for the 2020 data breach?

 Yes. The settlement for the nationwide class action involving the alleged privacy breach of Government of Canada online accounts was approved by the Federal Court on May 5, 2026, with Federal Court Justice Richard Southcott ruling the terms are fair, reasonable, and in the best interests of the class as a whole.

Do I need to do anything right now to be included? 

Not yet — but you should check your eligibility at breachsettlementcanada.kpmg.ca immediately. If you qualify, the claim form is not yet live as of May 7, 2026. Once KPMG publishes it, you will need to act before the deadline. Monitor your email and the official settlement website closely.

When will I receive my payment?

 TBD — the claim form has not yet been released by KPMG following final approval on May 5, 2026. Payments will be distributed after the claim period closes and KPMG processes all valid claims. Based on typical Canadian class action timelines, payments are likely several months away.

What if I missed the opt-out deadline?

 The opt-out deadline was February 20, 2026, and has passed. If you did not opt out, you are automatically included as a class member and bound by the settlement. You cannot pursue a separate individual lawsuit against the Government of Canada for this breach if you remained in the class.

Is this settlement legitimate?

 Yes. Sweet v. His Majesty the King, Federal Court File No. T-982-20, is a real Federal Court of Canada proceeding. The settlement is administered by KPMG and was approved by Justice Richard Southcott on May 5, 2026. The official website is breachsettlementcanada.kpmg.ca — do not submit personal information to any other site claiming to be the settlement administrator.

Will my settlement payment affect my taxes? 

Possibly. Canadian tax treatment of class action settlement payments depends on the nature of the payment. Payments that reimburse actual out-of-pocket losses are generally not considered income. However, tax treatment varies by individual situation. Consult a Canadian tax professional before filing if you receive a significant payment under the Special Compensation Fund.

Can I still join if I was affected by a different government account breach in 2020 — not just CRA? 

Government of Canada online accounts covered by the settlement include CRA accounts, My Service Canada accounts, and any other Government of Canada online account accessed using GCKey. If your breach involved one of those accounts during the class period, you are a class member. Whether you are entitled to a payment depends on whether your specific breach occurred during the June 15 – August 30, 2020 credential stuffing attack window.

How do I know if my CRA account was part of the hack?

 The CRA temporarily shut down its online services in August 2020 after Canadians shared similar stories of account takeovers online. If you received a notification from the government, noticed unauthorized changes to your CRA account (such as a changed email, changed direct deposit details, or unfamiliar CERB applications), or received an email from KPMG about this settlement, you were likely affected. Use the eligibility checker at breachsettlementcanada.kpmg.ca to confirm.

Sources & References

• Official Settlement Website: breachsettlementcanada.kpmg.ca — KPMG (Settlement Administrator)
• Government of Canada Official Notice: canada.ca — Sweet v. HMK Class Action
• Federal Court File: Sweet v. His Majesty the King, No. T-982-20, Federal Court of Canada
• Class Counsel: Rice Harbut Elliott LLP — rhelaw.com
• CBC News: Canadian government to pay $8.7M to settle data breach class-action involving CRA accounts — May 7, 2026

Prepared by the AllAboutLawyer.com Editorial Team and reviewed for factual accuracy against the official settlement website (breachsettlementcanada.kpmg.ca), the Government of Canada’s official case notice, and Federal Court records for File No. T-982-20 on May 7, 2026. Last Updated: May 7, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney or legal professional licensed in your jurisdiction.