Canada Settles $8.7M Class-Action Over CRA Data Breach Affecting 47,000 Accounts

Severity: High (Score: 64.5)

Sources: Insurancebusinessmag, Uk.News.Yahoo, rhelaw.com, www.cbc.ca, Dailyhive

Summary

The Canadian federal government has agreed to pay $8.7 million to settle a class-action lawsuit concerning a data breach that compromised the personal information of over 47,000 Canadians. The breach occurred between March and December 2020, primarily due to 'credential stuffing' attacks on government online accounts, including the Canada Revenue Agency (CRA) portal. Hackers exploited weak security measures to access sensitive data, including social insurance numbers and banking details, and used this information to fraudulently apply for COVID-19 relief benefits. The settlement, approved by Federal Court Justice Richard Southcott, allows affected individuals to claim compensation based on the extent of the fraud experienced. The CRA has faced criticism for its inadequate security measures that enabled these breaches. The settlement also includes provisions for reimbursement of out-of-pocket losses related to identity theft and fraud. The case highlights ongoing vulnerabilities in government digital services amidst rising cyber threats. Key Points: • The Canadian government will pay $8.7 million to settle a class-action lawsuit over a data breach. • Over 47,000 Canadians had their personal information compromised through credential stuffing attacks. • The breach allowed hackers to fraudulently apply for COVID-19 benefits using victims' identities.

Key Entities

• Credential Stuffing (attack_type)
• Data Breach (attack_type)
• Canada Revenue Agency (company)
• Government Of Canada (company)
• KPMG (company)
• Murphy Battista LLP (company)
• Treasury Board Of Canada Secretariat (company)
• Canada (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• Government (industry)
• T1078 - Valid Accounts (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• GCKey (platform)