ARTICLE
17 June 2026

Approved: $8.7M CRA Data Breach Settlement – How Affected Canadians Can Claim $80, $200, And Up To $5,000 For Verified Claims

RS
Rotfleisch & Samulovitch P.C.

Contributor

Rotfleisch & Samulovitch P.C. logo
Rotfleisch Samulovitch PC is one of Canada's premier boutique tax law firms. Its website, taxpage.com, has a large database of original Canadian tax articles. Founding tax lawyer David J Rotfleisch, JD, CA, CPA, frequently appears in print, radio and television. Their tax lawyers deal with CRA auditors and collectors on a daily basis and carry out tax planning as well.
Explore Firm Details
The Federal Court has approved an $8.7 million class action settlement in Sweet v. His Majesty the King (2026 FC 590), resolving claims from the 2020 credential-stuffing cyberattacks on Government of Canada online accounts accessed via GCKey, including CRA My Account.
Canada Tax
David Rotfleisch
Your Author LinkedIn Connections
David Rotfleisch’s articles from Rotfleisch & Samulovitch P.C. are most popular:
  • within Tax topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Canada
  • with readers working within the Accounting & Consultancy, Aerospace & Defence and Securities & Investment industries

Federal Court Approves Major Settlement for Victims of 2020 GCKey CRA Privacy Breach

The Federal Court has approved an $8.7 million class action settlement in Sweet v. His Majesty the King (2026 FC 590), resolving claims from the 2020 credential-stuffing cyberattacks on Government of Canada online accounts accessed via GCKey, including CRA My Account.

This settlement provides compensation to eligible Canadians whose personal and financial information was compromised in the breach. The Government of Canada denies liability but agreed to the compromise to resolve the litigation.

Background: From 2022 Certification to 2026 Approval

In August 2022, the Federal Court certified the class action (Sweet v. Canada, 2022 FC 1228), allowing claims for privacy breach and negligence to proceed against the Government of Canada. Lead plaintiff Todd Sweet and others alleged that inadequate security enabled hackers to access accounts, in some cases leading to fraud such as fake CERB claims or diverted payments.

Read our previous 2022 article on the class action certification here.

8.7 Million Settlement Breakdown and Claimant Compensation

Of the $8.7 million total settlement amount, approximately $6 million is allocated for class member compensation. The remaining portion covers class counsel fees, disbursements, administration expenses, taxes, and honoraria.

Claims-based payouts (administered by KPMG):

  • Access Claims (information accessed, no fraud): Up to $80 ($20 per hour for time and inconvenience, maximum 4 hours).
  • Fraud Claims (information used fraudulently): Up to $200 ($20 per hour, maximum 10 hours).
  • Special Compensation Fund: Up to $5,000 per claimant for verified out-of-pocket losses (e.g., unreimbursed fraud losses, identity theft fees, credit monitoring, or credit freeze costs). Payouts may be reduced pro-rata if total claims exceed available funds.

File claims through the official settlement website: breachsettlementcanada.kpmg.ca.

Legal Fees, Disbursements & Related Costs

Class counsel (Rice Harbut Elliott LLP) sought court approval for 33.33 percent of the net settlement proceeds plus disbursements, applicable taxes, and administration expenses. The Federal Court approved the fee structure as fair and reasonable. Specific dollar amounts for legal fees and disbursements are not separately itemized in public summaries but are drawn from the non-compensation portion (approximately $2.7 million).

Approved Honoraria:

  • $5,000 to lead plaintiff Todd Sweet.
  • $1,500 each to Anne Campeau and Tanis Seminoff.

Unclaimed funds will support privacy research, such as through the Privacy and Access Council of Canada.

Other CRA Data Breaches: A Pattern of Ongoing Concerns

The 2020 GCKey credential-stuffing incident is not an isolated event. The Canada Revenue Agency has faced numerous privacy breaches in recent years. Between March 2020 and December 2023, the CRA reported over 31,000 material privacy breaches affecting approximately 62,000 individual taxpayers. These incidents often involved unauthorized access to taxpayer accounts and, in some cases, led to fraudulent benefit claims totalling hundreds of millions of dollars.

In 2025, another government-wide incident occurred when a vulnerability in a third-party multi-factor authentication service exposed phone numbers linked to many CRA and ESDC accounts (and email addresses for CBSA accounts). This was classified as a non-material privacy incident limited to contact information.

These repeated breaches have prompted investigations by the Office of the Privacy Commissioner of Canada and raised broader questions about the security of taxpayer data held by the CRA.

Pro Tax Tips for CRA GCKey Settlement Payments

Privacy breach settlements like this are generally non-taxable under the surrogatum principle in Canadian tax law.

What is the Surrogatum Principle? It is a simple tax rule that asks: “What is this payment replacing?” If the payment replaces something that would not have been taxable (such as compensation for personal inconvenience, privacy invasion, or general damages), then the settlement payment itself is usually not taxable. Most payments in this GCKey settlement fall into this non-taxable category.

Practical Tax Tips:

  • Monitor your CRA My Account and mail for any T4A slip issued by the administrator.
  • Reimbursements for actual out-of-pocket expenses (e.g., credit monitoring fees) are typically non-taxable.
  • If you previously deducted related fraud losses on prior tax returns, consult an experienced Canadian tax lawyer to prevent any CRA adjustment.
  • Maintain detailed records and claim documentation for at least 6–7 years.
  • High-value claims from the Special Compensation Fund may warrant personalized tax advice.

This is general guidance only — consult a qualified Canadian tax lawyer for your specific situation.

FAQ – Sweet v. His Majesty the King GCKey Class Action Settlement

Who qualifies for compensation?

Anyone whose Government of Canada online account (CRA My Account, My Service Canada, or other GCKey-linked account) was accessed without authorization in the 2020 credential-stuffing attacks. Verify eligibility on the KPMG portal.

What is the claims deadline?

Check the official settlement site for current deadlines — the claims process is open following court approval.

How do I submit a claim?

Visit breachsettlementcanada.kpmg.ca to confirm eligibility and file with supporting information.

Will payments be taxable?

Generally, no for personal damages portions, but monitor for tax slips and consult a tax professional.

Does the settlement mean the government admits fault?

No — it is a compromise settlement without any admission of liability.

Key Takeaways for Canadians Affected by the GCKey Breach

This $8.7 million CRA class action settlement highlights the risks of government data breaches and the effectiveness of class actions in securing compensation. Eligible individuals should file claims promptly through the official portal. Given the pattern of multiple CRA breaches, all taxpayers should enable strong security measures such as unique strong passwords, multi-factor authentication, and regular monitoring of their CRA accounts.

Resources:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of David Rotfleisch
David Rotfleisch
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More