Executive Summary: Key Legal and Evidentiary Issues

• A credential stuffing attack on Government of Canada websites in 2020 compromised tens of thousands of CRA and ESDC online accounts, enabling identity theft and fraudulent CERB applications.

• Causes of action in systemic negligence, breach of confidence, and intrusion upon seclusion faced significant legal uncertainty, including potential defence arguments on indeterminate liability and the absence of intentional misuse by the Defendant.

• Settlement approval required the Court to assess whether the $8,760,500.90 all-inclusive settlement amount fell within the "zone or range of reasonableness," balancing modest per-claimant compensation against the risks of prolonged litigation.

• Only 30 of approximately 48,000 eligible Class Members objected to the settlement, representing an objection rate of 0.0006%, supporting the conclusion that the settlement served the best interests of the class as a whole.

• Objectors who had not opted out were granted a further opt-out opportunity, as the Court found that choosing to object rather than opt out before knowing the settlement's fate constituted excusable neglect.

• Class Counsel's contingency fee of 33.33% of compensatory payments, totalling $2,090,182.18 inclusive of taxes, was approved as fair and reasonable given the litigation risk, complexity, and results achieved.

The data breach and its impact on Canadians
In the summer of 2020, Government of Canada online portals — specifically the Canada Revenue Agency's (CRA) My Account and the Government of Canada Branded Credential Service (GCKey) — were targeted by a large-scale credential stuffing attack. Credential stuffing is a form of cyberattack in which stolen username-and-password combinations from one system are used by automated bots to gain unauthorized access to accounts on another system. The attackers exploited a misconfiguration in CRA's credential management software that allowed them to bypass security questions, a vulnerability that was not identified until August 6, 2020, and remedied on or about August 10, 2020. At least 48,110 CRA My Accounts were impacted by the unauthorized use of credentials, with threat actors actually logging into 26,250 of those accounts. In 12,700 accounts, the attackers changed taxpayers' direct deposit banking information and fraudulently applied for CERB. The GCKey service was similarly attacked, with 5,957 accounts across several enabled services potentially impacted, including 3,200 compromised My Service Canada Accounts (MSCAs) used to access CRA My Accounts via the link between MSCA and CRA, and 1,200 of those accounts used to apply for CERB or other COVID-related benefits.

The plaintiff and the commencement of the class action
Todd Sweet, a resident of Clinton, British Columbia, discovered on July 2, 2020, that his CRA online account had been compromised after receiving emails notifying him that his email address had been removed from his account. He found that his direct deposit information had been changed and that, on June 29, 2020, an unknown and unauthorized individual had made applications for CERB using his account. The class action was originally commenced on August 24, 2020, by the law firm Murphy Battista LLP on behalf of Ms. Anne Campeau and other proposed class representatives. However, in early April 2021, Murphy Battista itself experienced a data breach, in which unauthorized parties gained access to the firm's networks. The Defendant subsequently brought a motion to stay the proceedings on the basis that the Federal Court lacked jurisdiction to hear a third-party claim for contribution and indemnity against the firm. New Class Counsel, Rice Harbut Elliott LLP (now Rice Parsons Leoni & Elliott LLP), subsequently replaced Murphy Battista, narrowed the proposed class to exclude persons who had contacted Murphy Battista about this class action prior to June 24, 2021 (the "Excluded Persons"), and substituted Mr. Sweet as the representative Plaintiff.

Certification and class definition
On August 22, 2022, the Federal Court certified the action as a class proceeding with common questions of law or fact related to causes of action in systemic negligence, breach of confidence, and intrusion upon seclusion. The class was defined as all persons whose personal or financial information in their Government of Canada Online Account was disclosed to a third party without authorization between March 1, 2020, and December 31, 2020, excluding Excluded Persons. Government of Canada Online Account was defined to include CRA accounts, My Service Canada accounts, and other Government of Canada online accounts accessed using GCKey. By Order dated November 7, 2025, the class definition was amended to include the Excluded Persons, so as to encompass class members in a parallel proposed class action commenced by Ms. Tanis Seminoff on May 16, 2022, in the Supreme Court of British Columbia on behalf of the Excluded Persons. A total of 669 class members had opted out by the applicable deadlines.

Settlement negotiations and the Final Settlement Agreement
Following certification, the parties commenced a dialogue regarding the potential for a negotiated resolution of all claims. On September 25, 2024, the parties attended a mediation with the Honourable J. Douglas Cunningham, K.C., acting as the mediator. Following the mediation, the parties reached an agreement in principle on a settlement amount and distribution of settlement funds. This culminated in a Final Settlement Agreement (FSA) dated March 23, 2026. Under the FSA, the Defendant agreed to pay an all-inclusive sum of $8,760,500.90, which includes compensation for Class Members as well as taxes, legal fees, honoraria, claims administration costs, and disbursements. The settlement was claims-based, meaning eligible Class Members were required to submit a claim to the Claims Administrator (KPMG Inc.) through an online portal or in paper form.

Eligible claimant categories and compensation structure
The FSA divided eligible Class Members into two groups. Access Claimants — approximately 34,304 Class Members whose personal information contained in their Government online accounts was accessed by unauthorized third parties during the Breach Period — were entitled to claim compensation for the loss of time and inconvenience at $20 per hour, up to a maximum of four hours ($80 maximum). Fraud Claimants — approximately 13,661 Class Members who had their Government online accounts taken over by unauthorized third parties and who had their personal information (including direct deposit information) modified, allowing for fraudulent applications for CERB and/or other identified Government benefits — could claim at the same $20 per hour rate, up to a maximum of 10 hours ($200 maximum). Both groups could also submit a claim for Special Compensation for out-of-pocket costs related to identity theft, up to $5,000 per claimant, supported by documentary evidence. The maximum compensation pools were set at $2,720,000 for Access Claimants, $2,800,000 for Fraud Claimants, and $500,000 for Special Compensation, all subject to pro-rata reduction if total approved claims exceeded those amounts and to adjustment due to increased administration costs. Notably, the representative Plaintiff, Mr. Sweet, although a Class Member, would not be eligible for compensation under the FSA, as it had been determined that, while bad actors accessed his CRA account, this was not as part of the relevant credential stuffing attack.

Litigation risks and the Court's assessment
The Court acknowledged significant legal risks that the class would face if the matter proceeded to trial. In relation to systemic negligence, the Defendant was expected to argue that it did not owe a relevant private duty of care to Class Members, that the circumstances of this case were novel and that a full duty of care analysis would have to be undertaken, and that even if a duty of care were found to exist, it would be negated by policy concerns of indeterminate liability — an argument the Court had expressed the view in the Certification Decision was among the strongest of the Defendant's submissions opposing certification. The Defendant also referenced the argument that the Government's decision to roll out COVID emergency benefits using existing online systems was a core policy decision, made during an unprecedented global pandemic, which should not attract liability. Regarding breach of confidence, the Defendant's anticipated position was that it had not itself misused the Class Members' personal information, intentionally or otherwise, and that it was the bad actors who had unlawfully obtained the information. Similarly, for intrusion upon seclusion, the Defendant was expected to argue that there can be no liability for this tort in a data breach case where the Defendant did not itself intrude but rather is alleged to have failed to adequately protect personal information, relying on recent decisions from the Court of Appeal for Ontario that the Plaintiff was concerned could support such a defence. The Court also accepted the concern that Class Members could struggle to establish causation, noting the Defendant's expert report referring to the difficulty of attributing specific instances of fraud to specific data breaches.

Objections to the settlement
Thirty objections were filed (29 by the deadline of February 20, 2026, and one received after the deadline), representing an objection rate of 0.0006% of the approximately 48,000 eligible Class Members. The primary objections concerned the modesty of compensation, with many objectors describing their particular experiences following the data breach, including mental, physical, and financial harm, adverse impacts on employment or personal transactions, and effects upon their credit or anxiety or ongoing costs such as credit monitoring. Several objectors described lengthy and repeated challenges and frustrations in their communications with CRA in efforts to resolve issues arising from the data breach. One objector asserted that the proposed claims process was unclear and difficult to access. The Court acknowledged that compensation may be wholly inadequate for some Class Members but found that the settlement was intended to provide a reasonable level of compensation for a class of claimants and was not necessarily suitable for every Class Member. The Court further held that objectors who had chosen to object rather than opt out — necessarily making that decision without knowing whether their effort to oppose Court approval would be successful — should be afforded a further opportunity to opt out of the Class Action to preserve their right to pursue individual actions.

Honoraria and legal fees
The Court approved honoraria of $5,000 for Mr. Sweet, $1,500 for Ms. Campeau, and $1,500 for Ms. Seminoff, recognizing their respective contributions to the litigation. Class Counsel's fees were approved at $2,090,182.18 inclusive of taxes, representing 33.33% of compensatory payments to Class Members pursuant to the contingency retainer agreement, along with disbursements of $89,255.81 inclusive of taxes. The Court found these fees consistent with precedent for data breach class action settlements and noted that Class Counsel and Murphy Battista had together expended 3,029.7 hours in this litigation, representing $2,031,071.40 of docketed time, meaning that the contingency fee amount was comparable to the fees calculated based on docketed time, and counsel had not achieved a material fee premium to compensate them for their risk.

The ruling and outcome
In his decision dated May 5, 2026, the Honourable Mr. Justice Southcott of the Federal Court granted the Plaintiff's motion and approved the FSA, finding its terms fair, reasonable, and in the best interests of the class as a whole. The Court issued two Orders: one approving the settlement and honoraria (with an additional opt-out opportunity for objectors), and the other approving Class Counsel's fees and disbursements. The all-inclusive settlement of $8,760,500.90, payable by the Defendant (His Majesty the King), was approved in favour of the class represented by Todd Sweet. However, the precise net amount that will ultimately be distributed to individual Class Members depends on the number of valid claims submitted and final administration costs, which were not yet determinable at the time of the decision.