New CRA Data Breach Settlement 2026: A landmark CRA data breach class action settlement in Canada 2026 is now drawing widespread national attention after the Federal Court gave its approval on May 5, 2026 — and tens of thousands of Canadians may be entitled to compensation of up to $5,000 per eligible claim. If you used a Canada Revenue Agency account, a My Service Canada account, or any other Government of Canada online account accessed through GCKey during 2020, you could be part of one of the most significant federal privacy breach settlements in Canadian history.
Here is everything you need to know about who qualifies, how much you could receive, how to file your claim, and how to avoid the scams already circulating in connection with this settlement
What is New CRA Data Breach Settlement 2026?
To understand this settlement, you need to understand the cyberattack that triggered it. Between June 15 and August 30, 2020, hackers launched a wave of credential stuffing attacks against Government of Canada online systems — including CRA My Account and My Service Canada accounts. Credential stuffing is a technique where cybercriminals use username and password combinations stolen from unrelated third-party data breaches and systematically test them against other platforms to gain unauthorized access.
In this case, the attackers successfully broke into thousands of government accounts, accessing sensitive personal and financial data. In many instances, the stolen access was exploited to file fraudulent Canada Emergency Response Benefit (CERB) applications in victims’ names or to redirect legitimate CERB payments by changing direct deposit banking information without account holders’ knowledge. One of the lead plaintiffs in the case, Todd Sweet of Clinton, British Columbia, discovered in July 2020 that someone had changed the email address on his CRA account, updated his direct deposit details, and submitted four CERB applications in his name — without his knowledge or consent.
The CRA briefly shut down its online services in August 2020 after thousands of Canadians shared similar experiences. The scale of the attack, affecting more than 47,000 Canadians, prompted the class action that has now resulted in a court-approved settlement six years later.
The Lawsuit: Sweet v. His Majesty the King
The class action, officially known as Sweet v. His Majesty the King (Federal Court file number T-982-20), was filed in British Columbia and alleged that Government of Canada online systems lacked adequate cybersecurity safeguards, allowing credential stuffing attackers to breach accounts and access confidential personal and financial information. The lawsuit claimed that federal systems were negligent in failing to protect users from foreseeable cyberattack methods.
The Federal Court certified the class action in August 2022 (Sweet v. Canada, 2022 FC 1228), allowing privacy breach and negligence claims to proceed against the federal government. After years of litigation, the parties reached a negotiated settlement agreement in 2025. The settlement approval hearing was scheduled for March 31, 2026, and Federal Court Justice Richard Southcott approved it on May 5, 2026, writing that the terms were “fair, reasonable, and in the best interests of the class as a whole.”
The Government of Canada has formally denied any wrongdoing throughout this process. The settlement is a legal compromise of disputed claims, not an admission of liability or fault. The total settlement fund amounts to $8.7 million, from which legal fees, administration costs, and claimant compensation will be drawn. Class counsel, Rice Harbut Elliott LLP, sought court approval for legal fees representing 33.33% of net settlement proceeds, plus disbursements and applicable taxes.
Who Is Eligible for the CRA Settlement Payment?
This is the most misunderstood aspect of the settlement. Not every Canadian with a CRA account qualifies. Eligibility is specific, time-bound, and requires that your account was actively compromised during a defined window.
You are considered a class member if your personal or financial information in a Government of Canada online account was disclosed to a third party without authorization between March 1 and December 31, 2020. However, class membership alone does not automatically entitle you to a payment.
To actually receive compensation under the CRA settlement, your account must have been one of those targeted during the specific credential stuffing attacks between June 15 and August 30, 2020, and your personal information must have been either accessed or accessed and used for fraudulent purposes during that window.
The clearest indicator of eligibility is straightforward: if KPMG (the court-appointed settlement administrator) sent you an email notification about this settlement, you are eligible to apply for a payment. That email is effectively your confirmation that your account was identified as having been compromised within the eligible attack window.
The following individuals are excluded from the settlement:
- Anyone who opted out before the February 20, 2026 opt-out deadline
- Anyone who contacted Murphy Battista LLP about the CRA privacy breach class action (Federal Court file T-982-20) prior to June 24, 2021
- Anyone whose account was breached outside the June 15 – August 30, 2020 credential stuffing window, even if it fell within the broader March–December 2020 class period
- Anyone whose account was accessed but whose information was not actually compromised or misused
How Much Can You Claim?
The settlement does not offer a single flat payment to everyone. Instead, it uses a three-tier compensation structure based on the type and severity of harm experienced. Here is what each tier covers:
Tier 1: Account Access Inconvenience — Up to $80
This lowest tier covers eligible class members who experienced unauthorized access to their government account but did not have their information used for outright fraud. Compensation is calculated at $20 per hour for up to four hours, representing the time and inconvenience of dealing with account access issues, changing passwords, contacting the CRA, and securing their profile.
This tier is intended to acknowledge the disruption and effort involved in recovering account control — even when no direct financial loss occurred. The maximum payout under this tier is $80.
Tier 2: Identity Misuse and Fraudulent Activity — Up to $200
The second tier applies to individuals whose compromised account information was used for fraudulent CERB benefit claims or whose legitimate CERB payments were diverted by attackers changing their banking details. Compensation for this tier is also calculated at $20 per hour for up to ten hours, recognizing the additional time and stress involved in reporting fraud, resolving identity misuse, and restoring benefits. The maximum payout under this tier is $200.
Tier 3: Special Compensation Fund for Documented Financial Losses — Up to $5,000
The highest tier — and the one generating the most attention — covers verified out-of-pocket financial losses that can be directly connected to the 2020 government account breach. This includes unreimbursed financial losses from fraud, identity theft-related expenses, credit monitoring subscription fees, credit freeze costs, and similar documented expenditures that resulted from the breach and were never compensated by another source.
This is the tier where eligible claimants can receive up to $5,000 in CRA settlement compensation, but it requires substantive supporting documentation. Compensation under this tier is not automatic — claimants must provide evidence of their losses and demonstrate a direct link between those losses and the 2020 credential stuffing attack. The maximum total payout combining all three tiers is $5,280 per claimant.
An important caveat: if the total value of all approved claims exceeds the available settlement funds, individual payouts may be reduced on a pro-rata basis to ensure fair distribution across all eligible recipients.
How to File Your CRA Settlement Claim
The official settlement is administered exclusively by KPMG, and all claims must be submitted through the verified settlement website. The only legitimate claims portal is:
breachsettlementcanada.kpmg.ca
Do not submit your personal information to any other website, app, or service claiming to be connected to this settlement. The official class counsel is Rice Harbut Elliott LLP, reachable at classactions@rplelaw.com for legal inquiries related to the case.
KPMG has not yet published the full claims filing deadline as of early June 2026, but eligible claimants who received KPMG’s email notification can verify their status and begin the claims process directly on the settlement website. KPMG will oversee the full verification and payment process. Class members who do not opt out are automatically included in the settlement — meaning you do not need to take any action to remain covered, but you do need to actively file a claim to receive compensation.
Tax Treatment of Settlement Payments: What You Need to Know
A question many recipients are asking is whether CRA settlement payments are taxable in Canada. The general principle under Canadian tax law is that payments compensating for actual out-of-pocket losses — such as those under the Tier 3 Special Compensation Fund — are typically not considered taxable income, since they represent a reimbursement of documented expenses rather than earned income.
However, tax treatment can vary depending on individual circumstances, the specific nature of the payment received, and how it was calculated. Given the potential size of Tier 3 payments, recipients are strongly encouraged to consult a Canadian tax professional before filing their income tax return for the year in which a settlement payment is received. This is especially relevant for higher-value claims under the Special Compensation Fund.
Protect Yourself from Settlement Scams
Settlement announcements tied to government agencies and financial data consistently attract fraudulent actors. Since this settlement involves the Canada Revenue Agency, GCKey, and significant public attention, scammers are already targeting Canadians with fake notifications.
Here are the warning signs of a CRA settlement scam:
- Unsolicited calls, texts, or emails promising guaranteed payouts
- Any message requesting upfront fees, gift card payments, or wire transfers to process your claim
- Websites other than breachsettlementcanada.kpmg.ca asking for personal or banking information
- Communications claiming your payment has already been issued and asking you to confirm details
The legitimate KPMG settlement process will never ask for upfront fees, will never demand payment to release your compensation, and will only contact eligible claimants at the email address on file with their government account. If you receive a suspicious communication claiming to be related to this settlement, report it to the Canadian Anti-Fraud Centre at antifraudcentre.ca.
What This Settlement Means for Canadians
The $8.7 million CRA class action settlement approval in 2026 is more than a financial resolution — it is a formal acknowledgment by the federal judicial system that Canadians whose government accounts were compromised in 2020 deserve compensation for the disruption, fraud, and financial harm they experienced. For many victims, the fraudulent CERB applications filed in their names caused months of frustration, damaged their relationship with the CRA, and in some cases created tax complications that took years to resolve.
The case also signals a growing legal and regulatory expectation that federal digital services must meet a meaningful standard of cybersecurity protection for users’ personal and financial data. Any unclaimed settlement funds are designated to support privacy research through organizations like the Privacy and Access Council of Canada — meaning the settlement’s impact extends beyond individual claimants.
If you believe your government account was compromised in 2020, verify your eligibility at breachsettlementcanada.kpmg.ca — it may be worth thousands of dollars.
