Features How It Works Who It's For Blog
Language
EN ES FR 简体 繁體 日本語 한국어 DE
Download
Back to Blog
June 10, 2026

The CRA Breach Settlement: A £5,000 Lesson in Lazy Security and Lax Habits

The Canadian government has settled a class-action lawsuit over the 2020 credential stuffing attacks on CRA and My Service Canada accounts, offering up to £5,000 to victims. But this isn't just a story about hackers—it's a damning indictment of how both institutions and individuals treat personal data with reckless abandon. We explore the settlement, the sheer stupidity of credential stuffing, and why a tool like ccLuca might be the only sensible thing you do today.

Let’s be brutally honest: if you are one of the thousands of Canadians now eligible for a payout from the Government of Canada’s privacy breach settlement, you probably already knew your data was floating around the dark web like a dead fish in a canal.

The Federal Court approved an £8.76 million settlement on May 5, 2026, for a class action that alleges the government failed to safeguard the confidential personal and financial information of Canadians in various online portals. Victims of the 2020 credential stuffing attacks—which primarily targeted the Canada Revenue Agency (CRA) and My Service Canada accounts—can claim up to £5,000. But let’s not pretend this is a windfall. It’s a pittance for the chaos caused.

What Actually Happened in 2020?

Credential stuffing. It sounds technical, doesn’t it? But it’s really just the digital equivalent of a burglar trying your front door key on every house on the street because you were too lazy to change the locks.

According to the legal documents, hackers tested stolen login credentials—usernames and passwords pilfered from other breaches—across government portals. They banked on the fact that people reuse the same credentials everywhere. And they were right.

"The breach was a result of a credential stuffing attack by hackers who primarily targeted the CRA and Employment and Social Development Canada (ESDC)."

This isn’t sophisticated espionage. This is opportunism. And the government’s security measures were apparently about as effective as a chocolate teapot.

Who Is Eligible for the Payout?

If your personal or financial information in a Government of Canada online account was disclosed to a third party without authorisation between March 1 and December 31, 2020, you are a Class Member. That includes:

  • Canada Revenue Agency accounts
  • My Service Canada accounts
  • Any other account accessed using GCKey

To check your eligibility, you can visit KPMG’s eligibility checker. You’ll need your last name, email address, and the last three digits of your SIN. If you’re not eligible, the page will tell you. If you are, you might get a cheque. But don’t hold your breath for a life-changing sum.

The Real Problem: We Are All Lazy Sods

Here’s the uncomfortable truth. The government’s security was shoddy, yes. But the breach succeeded because millions of Canadians used the same password for their CRA account as they did for their Netflix subscription, their online grocery delivery, and that dodgy forum they signed up for in 2015.

We treat our financial data like yesterday’s newspaper. We snap a photo of a receipt, forget about it, and then wonder why our expense claims are a mess. We hand over our SIN numbers like they’re loyalty card points. And then we act shocked when someone helps themselves.

This is where I get off my high horse and point you to something that might actually help. If you’re an individual or a small team drowning in receipts and expense reports, stop using sticky notes and spreadsheets. Use something that doesn’t treat your data like a public library.

ccLuca is a tool that lets you snap a photo of a receipt, get AI-extracted data in three seconds, and generate expense reports instantly. No IT department. No enterprise software. Just you and your expenses, sorted. It’s built for people who don’t want to leave a trail of financial breadcrumbs for hackers to follow.

The Settlement: A Drop in the Ocean

The government has agreed to pay £8,760,500.90 to settle all claims. But let’s be clear: the Government of Canada denies any wrongdoing. This is a settlement, not an admission of guilt. It’s the corporate equivalent of saying, “I’m sorry you feel that way,” while handing over a cheque to make the problem go away.

KPMG, the court-appointed claims administrator, has been tasked with distributing the funds. But not all class members are entitled to payments. Only those who were actual victims of unauthorised access during the credential stuffing attack will see a penny.

What Should You Do Now?

First, check your eligibility. Second, change your passwords. Third, stop using the same password for everything. Fourth, get a password manager. Fifth, stop treating your financial records like a game of hide-and-seek.

And if you’re self-employed, a freelancer, or running a small team, start using a proper expense management tool. The expenses you forget to claim could buy you an iPhone every year. But more importantly, the receipts you lose or mishandle could cost you far more than a phone.

The Bottom Line

This settlement is a bandage on a bullet wound. The real issue is a culture of carelessness—both by institutions and individuals. The government failed to protect your data. But you also failed to protect yourself. It’s time to take responsibility.

Use a password manager. Use two-factor authentication. And for the love of all that is holy, stop writing your passwords on Post-it notes.

Source: Did you have a CRA or MyService account in 2020? Canadians impacted by online account breaches can claim payout from $8-million settlement