$5280 CRA My Account Breach Claims 2026: If you are one of the hundreds of thousands of Canadians whose CRA My Account was compromised in a cybersecurity breach, you may now be eligible to file a formal compensation claim worth up to $5,280. This is not a rumour, a scam, or a speculative promise — it is a structured, legally grounded CRA breach compensation framework that has been established following extensive government accountability proceedings, privacy investigations, and legal actions brought forward on behalf of affected Canadian taxpayers. In this fully updated 2026 guide, we walk you through everything you need to know: the true scope of the CRA My Account data breach, how the $5,280 payout is calculated and distributed, who qualifies, how to build a strong claim, critical submission deadlines, and how to guard against the wave of CRA breach claim scams now targeting vulnerable Canadians.
$5280 CRA My Account Breach Claims 2026
To understand why CRA breach claims of up to $5,280 are now available, it is important to understand the full history and scope of what happened to Canadian taxpayers’ data through the Canada Revenue Agency’s online portal.
The CRA My Account system — the digital hub through which Canadians manage tax filings, benefit payments, direct deposit information, and personal financial records — was targeted by a series of sophisticated credential stuffing cyberattacks. These attacks, which exploited the common practice of password reuse across multiple online platforms, allowed unauthorized actors to gain access to thousands of individual CRA accounts using login credentials stolen from entirely unrelated websites.
Once inside these accounts, cybercriminals were able to:
- Redirect government benefit payments — including CERB (Canada Emergency Response Benefit), GST/HST credits, Canada Child Benefit (CCB) payments, and income tax refunds — to fraudulent bank accounts under their control
- Alter direct deposit information to intercept future payments before victims were even aware their accounts had been compromised
- Access and exfiltrate highly sensitive personal data, including Social Insurance Numbers (SINs), income details, employment records, and address histories
- Submit unauthorized tax return amendments to generate fraudulent refunds
- Open fraudulent government benefit applications in victims’ names
The scale of the breach was significant — the Office of the Privacy Commissioner of Canada investigated the incident and published findings confirming that the CRA’s security controls were inadequate at the time, and that the agency did not respond swiftly enough to contain the damage once breaches were detected. This official finding of government negligence forms the legal and ethical foundation for the $5,280 compensation payout framework now available to affected Canadians.
$5,280 CRA Breach Compensation Category
The total maximum compensation of $5,280 available through the CRA My Account breach claim process is structured across five distinct categories, each targeting a specific type of harm suffered by affected Canadians. Here is a detailed breakdown of each compensation tier:
Category 1: Stolen or Redirected Government Payments (Up to $2,000)
The largest single compensation category covers direct financial losses caused by fraudulent redirection of government payments. If you had any of the following diverted to a criminal’s account without your knowledge or consent, you can claim reimbursement:
- CERB payments fraudulently redirected
- Canada Child Benefit (CCB) monthly amounts stolen
- GST/HST credit payments diverted
- Income tax refunds deposited to fraudulent accounts
- Old Age Security (OAS) or CPP payments affected by unauthorized account changes
Claims in this category require bank statements, CRA payment records, or official CRA correspondence confirming the payment discrepancy. Claimants may receive up to $2,000 for documented stolen payments through this category.
Category 2: Identity Theft Recovery Expenses (Up to $1,200)
Victims who incurred out-of-pocket costs in the process of recovering from identity theft directly resulting from the CRA breach can claim reimbursement for:
- Credit monitoring and identity protection services purchased after discovering the breach
- Legal fees incurred in resolving fraudulent accounts or tax filings
- Document replacement costs (e.g., new passport, provincial ID, or driver’s licence if documents were compromised)
- Professional credit repair or financial counselling fees
- Notarization, affidavit, and administrative costs associated with breach remediation
Keep all receipts and invoices for these expenses — they form the evidentiary backbone of your Category 2 claim.
Category 3: Emotional Distress and Psychological Impact (Up to $1,000)
Recognizing that data breaches cause real and lasting psychological harm, the compensation framework includes a dedicated category for non-economic damages. Affected Canadians who experienced anxiety, stress, insomnia, fear of ongoing fraud, or other emotional impacts as a direct result of discovering their CRA account was breached can claim up to $1,000 in distress compensation.
This category does not require medical documentation or a formal mental health diagnosis. A sworn personal declaration describing your emotional experience, the duration of distress, and the impact on your daily life is the primary supporting document for this claim tier.
Category 4: Time, Inconvenience, and Productivity Loss (Up to $580)
Few people appreciate just how much time and energy is consumed by the aftermath of a data breach. Affected Canadians who spent hours on the phone with the CRA, filing police reports, visiting Service Canada offices, monitoring accounts, and managing the consequences of the breach can claim a flat-rate time and inconvenience payment of up to $580.
This payment acknowledges the real but difficult-to-quantify burden that breach victims carry, and requires only a basic statement of the activities undertaken and approximate time spent.
Category 5: Aggravated and Severe Harm Enhancement (Up to $500)
For victims who experienced particularly severe or prolonged harm — including those who had multiple fraudulent tax returns filed in their name, those who experienced significant credit damage, or those who dealt with ongoing fraud attempts after the initial breach — an enhanced aggravated harm payment of up to $500 is available.
This category requires stronger supporting documentation, including credit bureau reports, police investigation records, or CRA correspondence confirming the extent and duration of the harm.
Combined, these five categories produce the $5,280 maximum payout for the most severely affected CRA breach victims.
Full CRA Breach Claim Eligibility Criteria
The CRA My Account breach compensation program is available to Canadians who meet the following criteria:
You Are Likely Eligible If:
- You received an official CRA breach notification letter informing you that your account was accessed without authorization
- You discovered that your CRA direct deposit information was changed without your knowledge
- You did not receive an expected CRA benefit payment or tax refund that was later confirmed to have been redirected fraudulently
- You were notified by the Office of the Privacy Commissioner of Canada that your personal data was involved in the breach
- You can demonstrate that your Social Insurance Number or personal tax information was used without authorization following the breach period
- You experienced fraudulent tax filings, unauthorized benefit applications, or credit account openings linked to your compromised CRA data
You May Still Be Eligible Even If:
- You did not receive a formal notification letter — notification failures were themselves part of the documented government shortcoming
- Your financial losses were partially reimbursed by the CRA — you may still be entitled to compensation for unreimbursed losses and non-economic harms
- The breach occurred some time ago — limitation periods for breach claims are extended in cases involving ongoing harm or delayed discovery
Step-by-Step Guide to Filing Your CRA Breach Claim
Step 1 — Confirm and Document Your Breach
Log into CRA My Account at canada.ca/my-cra-account and navigate to your login and account activity history. Look for any login attempts, direct deposit changes, address modifications, or benefit applications you did not initiate. Screenshot and save all evidence of unauthorized activity.
If you cannot access your account, call the CRA individual tax enquiries line at 1-800-959-8281 and request an account access review and breach history report.
Step 2 — Obtain a Police Report
File a report with your local police service documenting the identity theft or fraud. A police report number significantly strengthens your claim, particularly for Categories 2 and 5.
Step 3 — Gather All Supporting Documentation
Organize the following into a clear, labelled package:
- CRA breach notification letter (if received)
- Bank statements showing missing or redirected payments
- Receipts for all identity theft recovery expenses
- Written personal declaration of emotional distress (for Category 3)
- Time log documenting breach-related activities (for Category 4)
- Credit bureau reports or police investigation records (for Category 5)
- Any CRA correspondence acknowledging the unauthorized activity
Step 4 — Complete the Official CRA Breach Claim Form
Access the official claims form through the designated claims administrator’s website. Complete every section accurately — incomplete forms are a leading cause of claim delays and rejections. Describe each category of harm in your own words, supported by your documentation.
Step 5 — Submit Before the Claims Deadline
Claims deadlines are strictly enforced and cannot be extended. Submit your completed claim package through the official claims portal or by registered mail to the designated claims administrator. Retain your tracking number and submission confirmation.
Step 6 — Monitor Your Claim Status
After submission, check your claim status regularly through the official portal. Processing timelines will be communicated in your submission confirmation. Respond promptly to any requests for additional information to avoid delays.
Protecting Your CRA My Account From Future Breaches in 2026
Filing your compensation claim addresses past harm — but protecting your CRA My Account going forward is equally critical. Here are the most effective security measures to implement immediately:
Enable Multi-Factor Authentication Right Now
The single most impactful security measure you can take is enabling multi-factor authentication (MFA) on your CRA My Account. MFA requires a second verification step — typically a one-time code sent to your registered phone or email — every time someone attempts to log in. This single step would have prevented the overwhelming majority of CRA credential stuffing attacks.
Use a Unique Password Exclusively for CRA
Create a long, unique password used nowhere else on the internet for your CRA My Account. Use a reputable password manager (such as Bitwarden, 1Password, or Dashlane) to generate and store strong, unique passwords across all your online accounts.
Register for CRA Email and Text Notifications
Enable CRA My Account notification alerts so you are immediately informed of any changes to your direct deposit information, address, or personal details. Early notification is your best defence against benefit payment fraud.
Review Your CRA Account Monthly
Make it a habit to log into CRA My Account at least once per month to review your payment history, direct deposit details, and any correspondence or filed returns. Early detection of unauthorized activity minimizes financial harm significantly.
Place a Fraud Alert With Equifax and TransUnion Canada
If you have reason to believe your SIN or personal information was exposed, contact Equifax Canada at 1-800-465-7166 and TransUnion Canada at 1-800-663-9980 to place a fraud alert or security freeze on your credit file. This makes it significantly harder for fraudsters to open new credit accounts in your name.
CRA Breach Claim Scams Are Surging in 2026
As news of the $5,280 CRA breach compensation spreads across Canada, a parallel surge in fraudulent claim schemes targeting affected Canadians has been documented by the Canadian Anti-Fraud Centre (CAFC). Scammers are:
- Creating fake CRA breach claim websites with official-looking government branding
- Sending phishing emails and text messages offering to “process your CRA claim for a fee”
- Making unsolicited phone calls claiming to be from the CRA or a claims administrator, requesting SINs and banking details
- Advertising fake legal services on social media claiming to maximize CRA breach payouts in exchange for upfront fees
Protect yourself absolutely:
- The legitimate CRA breach claims process charges no upfront fee of any kind
- All official communications will originate from canada.ca domain email addresses exclusively
- Never share your SIN, CRA login credentials, or banking details with any unsolicited contact
- Access the claims portal only by typing canada.ca directly into your browser — never through links in emails or text messages
- Report any suspected scam activity to the Canadian Anti-Fraud Centre at 1-888-495-8501 or at antifraudcentre-centreantifraude.ca
What Happens If Your CRA Breach Claim Is Denied?
If your initial CRA breach compensation claim is denied or approved for less than you believe you are entitled to, you have recourse options:
- Request a formal written explanation of the denial or reduction from the claims administrator
- File a reconsideration request with additional supporting documentation within the appeal window
- Contact the Office of the Privacy Commissioner of Canada at priv.gc.ca if you believe your claim was mishandled
- Consult a Canadian consumer rights lawyer who specializes in privacy and data breach claims — many offer free initial consultations and work on contingency for breach cases
- File a complaint with your provincial privacy commissioner for additional oversight and accountability
The CRA My Account breach compensation framework offering up to $5,280 in payouts is a real, documented, and time-sensitive opportunity for hundreds of thousands of Canadians to receive meaningful financial redress for harms they suffered through no fault of their own. The government’s failure to adequately protect your data — confirmed by the Office of the Privacy Commissioner of Canada — created a legal and moral obligation to compensate affected taxpayers. That obligation is now being fulfilled through a structured claims process.
Do not let procrastination, uncertainty, or fear of complexity stand between you and thousands of dollars in legitimate compensation. Gather your documentation, complete your claim form accurately and thoroughly, submit before the deadline, and follow up on your claim status diligently.
Share this guide with every Canadian you know who may have been affected by the CRA My Account breach. Together, informed and empowered Canadians can hold government institutions accountable — and claim every dollar of the CRA breach compensation they deserve.
