Skip to main content
Barrett Tax Law logo

Insights

The CRA Data Breach Settlement: Who Can Claim, How Much, and the Tax Questions That Follow

Last reviewed June 2026

If your Canada Revenue Agency "My Account," My Service Canada Account, or GCKey login was compromised during the wave of cyberattacks in the summer of 2020, you may be owed money — and the window to claim it is approaching. The Federal Court of Canada has approved a settlement of roughly $8.7 million in the class action Sweet v. His Majesty the King (2026 FC 590), resolving claims over the breach of tens of thousands of Canadians' government accounts. Eligible class members will be able to claim up to $5,280 each, depending on what happened to them.

The news coverage has focused, understandably, on the dollar figures and the looming deadline. As a Canadian tax law firm, our clients tend to ask the questions that come next: Is this money taxable? What do I do if someone used my hacked account to apply for CERB in my name? How do I make sure my CRA account is actually secure now? This article walks through the settlement itself — eligibility, amounts, and how to claim — and then turns to the tax consequences and the practical fallout that the headlines leave out.

What happened in 2020

Between roughly June 15 and August 30, 2020, attackers used a technique called credential stuffing to break into Government of Canada online accounts. Credential stuffing does not involve hacking the government's systems directly. Instead, the attackers took username-and-password combinations that had leaked from other websites in unrelated breaches and tried them, in bulk, against government logins — exploiting the common habit of reusing the same password across many sites. Where a Canadian had reused a compromised password, the attackers got in.

The accounts affected included the CRA's My Account portal, My Service Canada Account, and the shared GCKey credential that fronts many federal services. Once inside, attackers could view personal and financial information and, in some cases, redirect benefits or file fraudulent applications. Tens of thousands of accounts were exposed — public reporting has put the figure above 47,000. The class action that followed alleged the government had not done enough to protect against a foreseeable attack, and it has now resolved in the settlement described below.

Who is eligible to claim

Broadly, you are a member of the settlement class if your Government of Canada online account (CRA My Account, My Service Canada Account, or a GCKey-linked account) was accessed without authorization during the relevant 2020 period. The settlement materials draw a distinction worth understanding:

  • The class is defined around unauthorized access to these accounts in 2020.
  • Compensation is directed at those whose accounts were accessed during the credential-stuffing attacks of June 15 to August 30, 2020 specifically.

The simplest way to find out whether you qualify is to use the eligibility checker run by the court-appointed claims administrator, KPMG, at breachsettlementcanada.kpmg.ca. It asks for your last name, the last three digits of your Social Insurance Number, and your email address. If KPMG already emailed you a notice about the settlement, that is itself an indication you are within the eligible group.

What you can claim

The settlement sorts compensation into three tiers. A single person can fall into more than one, which is how the maximum reaches $5,280:

  • Access claim — up to $80. For the time you spent dealing with the unauthorized access to your account, calculated at $20 per hour for up to four hours. This tier generally does not require documentary proof beyond attesting to the time spent.
  • Fraud claim — up to $200. For time spent addressing fraudulent use of your information — for example, untangling a benefit application that was filed in your name without your knowledge — calculated at $20 per hour for up to ten hours.
  • Special Compensation Fund — up to $5,000. For documented out-of-pocket losses directly tied to the breach: unreimbursed fraud losses, identity-theft remediation costs, credit-monitoring fees, and similar expenses. This tier requires supporting documentation, and payouts depend on the fund and the volume of valid claims.

The first two tiers compensate you for your time; the third reimburses you for money you actually lost or spent. Keep that distinction in mind — it matters for the tax analysis below.

How and when to claim

At the time of writing (June 2026), the claims portal had not yet opened. Under the terms of the approval, the claims process is expected to go live after the appeal period on the approval judgment runs out — realistically over the summer of 2026 — at which point eligible class members will have a defined filing window (reported as roughly six months) to submit a claim. Because the exact open and close dates depend on the appeal period and the administrator's schedule, confirm the live deadline directly with KPMG rather than relying on any single news report:

  • Online: breachsettlementcanada.kpmg.ca
  • By phone: 1-833-724-6160

A practical tip: even though the portal is not open yet, this is the moment to gather your records. If you dealt with a fraudulent benefit claim, an identity-theft file, or out-of-pocket costs after 2020, locate the paperwork now — CRA correspondence, police or credit-bureau reports, receipts, and any notices of reassessment — so that you can file a complete claim quickly once the window opens, particularly for the documentation-heavy Special Compensation Fund tier.

Is the settlement money taxable?

This is the question we are asked most, and the honest answer is: it depends on what the payment is for. Canadian tax law generally applies the surrogatum principle — a damages or settlement payment takes on the tax character of whatever it is meant to replace. Applied to these three tiers, the analysis tends to run as follows, though your own facts and any tax slip you receive govern:

  • Reimbursement of out-of-pocket losses (the Special Compensation Fund tier) generally is not income. Money that simply restores what you lost or spent does not, as a rule, enrich you, so it ordinarily is not taxable. The exception is where a payment replaces something that would have been taxable — for instance, lost business income — in which case that portion can take on the same character.
  • Compensation for your time and inconvenience (the access and fraud tiers) is personal in nature. Amounts of this kind, paid to an individual for non-pecuniary loss rather than for lost income, are commonly treated as non-taxable, but the treatment is not automatic and turns on how the payment is characterized.
  • Any interest component — if a settlement includes an interest element — is generally taxable as income, even when the underlying award is not.

Two practical points. First, watch for a tax slip. If the administrator issues a T-slip (for example, for an interest component), the CRA receives a copy too, and you should report what the slip shows. Second, nothing here is individualized advice — the characterization of a specific payment can be fact-dependent, and if your claim involves a large Special Compensation Fund amount or a business-loss element, it is worth a short conversation before you file your return for the year you receive it.

If a benefit claim was filed in your name

The most damaging fallout from the 2020 breach was not the snooping — it was fraud committed through the compromised accounts. A recurring pattern: an attacker used a hijacked CRA My Account or My Service Canada Account to apply for CERB, CRB, or EI benefits in the victim's name, directing the money to the fraudster. The victim then received a T4A or T4E slip reporting benefits they never saw, followed in some cases by a CRA reassessment or a demand to repay benefits they never received.

If that happened to you, the settlement claim is only half the picture. You may also need to correct your tax record so that the CRA stops attributing fraudulent benefits — and the tax on them — to you. That work can involve:

  • Reporting the identity theft to the CRA and to Service Canada and having the fraudulent benefit application flagged.
  • Getting the erroneous T4A/T4E slip corrected so it no longer shows income you never received.
  • Filing an objection to any reassessment that taxed you on the fraudulent amounts, or pursuing taxpayer relief from related interest and penalties.
  • Documenting the fraud thoroughly — which, helpfully, is the same evidence that supports your settlement claim.

We cover the benefit-repayment side of this in more depth in our note on year-end CERB considerations, and the broader problem of returns and applications filed in someone else's name in fraudulent filing.

Securing a compromised CRA account

Whether or not you claim, if your account was among those breached, treat it as compromised and lock it down. Sensible steps:

  • Change your password to one you have never used elsewhere, and stop reusing passwords across sites — reuse is exactly what credential stuffing exploits.
  • Turn on multi-factor authentication and the CRA's email-alert feature, which notifies you when key account details change.
  • Review your account for unfamiliar addresses, direct-deposit changes, filed returns, or benefit applications you did not make. A fraudulent return filed to redirect a refund is a known follow-on attack.
  • If you see signs of misuse, contact the CRA's individual line and ask that your account be flagged for identity theft, and consider a credit-bureau alert.

How Barrett Tax Law can help

For most people, the settlement claim itself is straightforward and does not require a lawyer — the KPMG portal is designed to be used directly, and you should not pay anyone a percentage of an $80 or $200 claim. Where our work begins is the tax fallout: a CRA reassessment for benefits you never received, a demand to repay CERB an impostor collected, an income slip reporting money that went to a fraudster, or a fraudulent return filed against your account. Those are tax disputes, and they are handled through objections, taxpayer-relief requests, and — where the CRA has already moved to collect — representation in dealing with the agency. Where historical filings need to be put right, the Voluntary Disclosures Program may also be relevant.

If a 2020 account breach turned into a tax problem you are still dealing with — a slip you cannot explain, a balance you do not owe, or a benefit repayment for money you never got — a free initial consultation is the place to sort out where you stand. Bring whatever CRA correspondence and documentation you have; even an incomplete file gives us a working basis to assess your options.

This article is general information about a public class-action settlement, not legal or tax advice, and it does not create a lawyer-client relationship. Settlement terms, claim amounts, and deadlines are administered by KPMG and the Federal Court; confirm current details and the live filing deadline at breachsettlementcanada.kpmg.ca or 1-833-724-6160 before acting. The tax treatment of any payment depends on your own circumstances.

We're on it

Need urgent representation against the CRA?

Free consultation. Fixed-fee quotes on most matters. We begin within 24 hours of retainer.

1-877-882-9829Schedule Consultation
☎ Call NowFree Consult