Canadian government named in class-action privacy breach lawsuit
September 3, 2020 by Greg Meckbach
Print this page Share
The federal government is facing a proposed class-action lawsuit over data breaches earlier this year affecting thousands of users of online service users.
Criminals were able to get the user names and passwords of 9,041 users of GCKey, the federal government announced in August. GCKey lets people access multiple federal government services – including Employment and Social Development Canada’s MyService Canada Account – over the Internet.
In response to the breach, Vancouver-based law firm Murphy Battista LLP is proposing a class action. The proposed class is all persons whose personal or financial information in their federal Credential Service account or their Canada Revenue Agency account was disclosed to a third party on or after Mar. 15, 2020. Murphy Battista lawyers Angela Bespflug and Janelle O’Connor filed the statement of claim Aug. 24. Three representative plaintiffs are named.
Among the allegations contained in the statement of claim are that Canada Revenue agency failed to notify victims of the breach and the general public in a timely manner that people’s personal and financial information had been compromised. The statement of claim also alleges the government failed to take reasonable steps when it knew or ought to have known that cyber security incidents were taking place.
Allegations against the government contained in the statement of claim have not been proven in court. A court must first agree to certify a class before it can establish the facts and judge the merits of the claim.
For its part, the government said Aug. 15 it has “robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.”
The class action lawsuit alleges the personal and financial information of the plaintiffs were disclosed to a third party. That information includes social insurance numbers (“SIN”), annual tax returns, banking information, family information, disability benefit information, and home addresses.
The causes of action include obligations under the federal Privacy Act, as well as the common law duty and care in the collection, retention and disclosure of people’s personal and financial information. Another head of damage is the controversial new tort “intrusion upon seclusion,” which was first established in Ontario in 2012. The tort essentially recognizes significant invasions of privacy.
Related: Canada Revenue Agency suspends online services after cyberattacks
In the lawsuit filed against the federal government Aug. 24, 2020, the plaintiffs did not put a specific dollar value on damages in the claim filed in court. They did however identify a number of heads of damage, including costs incurred in preventing identity theft, damage to credit reputation, mental distress, and time the plaintiffs lost in notifying parties such as credit card providers.
Canada has seen “an explosion in privacy class actions over the last number of years,” David Fraser, Halifax-based privacy lawyer for McInnes Cooper, told Canadian Underwriter earlier.
In the event of a privacy breach, an organization could be sued for negligence, breach of confidence, breach of fiduciary duty, or breach of contract, Fraser said at the time, commenting in general on cyber risk and not on any specific case.
The federal government announced Aug. 15 that of about 12-million active GCKey accounts, the passwords and usernames of 9,041 users were acquired fraudulently. Criminals used those credentials to try and access government services. A third of those did access such services “and are being further examined for suspicious activity,” the government said at the time.
As part of that GCKey attack, and a separate “credential stuffing” attack, about 5,500 Canada Revenue Agency accounts were targeted.
The government defines “credential stuffing” as attacks that use passwords and usernames collected from previous hacks of other attacks, taking advantage of the fact that many people reuse passwords and usernames across multiple accounts.
Feature image via iStock.com/Olena_T
Print this page Share
Well as someone sitting on hold with the Cra as I wright this post….this is my 200th hour. And weeks of waiting I have lost my child tax credit all my credit cards debit card. And bank accounts. They won’t talk to us and finally today the lottery smiles and I finally got a reference number to call in. They have stolen my whole life and I have bene reduced to selling My belongings to feed my kids. They don’t care about us and in a time when we’re supposed to be in this together. This sucks and I’ve cried everynight since this has happened. I’m so let down buy my government. That’s my opinion on what’s happening. Once they stole my information they stole my life. Is there an amount of money that’s gonna fix my pride, self worth and humanity that goes with having everything in your world taken buy identity thieves? My names sue.
These breaches occurred long before August 2020!!!! I think I know exactly when and how this occurred!
I am submitting an Access to Information and Personal Information Request to CRA under the Access to Information Act and the Privacy Act.
I encourage everyone who has been affected by this breach to do the same!
My spouse had their account hacked, a number of things got changed. We apparently are no longer married, I owe $400 for child support, he owes $700 for child support, plus someone took $14,000 from the relief fund. It is an utter joke! It is isn’t sorted out, the CRA should have been able to tell that he was working as they receive details and tax each bloody month.
Same, I’m not married anymore, I owe $400, other half owes $500, plus $10,000 CERB. I like you don’t understand, CRA gets our tax money every month, they should know that he was working. It isn’t rocket science.
I have filed several complaints to CRA when this happened, on hold for hundreds of hours. Submitted a “Service Complaint” to the National Intake Center….twice, once by mail, once by fax, since getting through on the phone is impossible. I never heard back except a bunch of non related letters to my home address to the “trustee of (me)”, yup, I’m apparently dead according to the CRA. Since going a full year without being able to get through on the phone, nor acknowledgement of my detailed complaint to the National Intake service, i contacted the Ombudsman for the Canadian Taxpayer. They were able to contact CRA on my behalf, and they now have 30 days (from Feb 2nd) to respond to me on this matter. It will be interesting to see how this tax year works out since I never claimed CERB (but the hacker did), and cannot access “my account” (still locked out). So i dont know what else has been done to my account …but I assure you, im not dead.
I am glad to know I am it alone. Anyone who can offer any advice, I am not even sure I can think k straight. I apparently received 18, 500 in CERB/sickness benefits, child benefits…yet I never asked for any, never saw, but my CRA my account shows T4, T5007 (ODSP) with incorrect amounts of the slips I had. CRA has me showing an income of 48K! This how now snowballed so bad, this ongoing fight… The rep accused me, was rude, talked over me and wouldn’t let me give explanation or send my proof.
I even refiled and found out today despite signing off about the error I found, they won’t accept it it is on hold I finally today got through on the phone to someone to close my CRA account fully. Now for next steps…. I am debating filing Bankruptcy if this can’t be solved. I now have lost my vehicle, my job, my ODSP and I am praying I don’t lose my assisted housing.
Fyi, I have been to my local MPP/MP (local government officials office) and I did not vote this past week due to loss of faith in all go ernment and departments. I am a single mom who is just struggling all around trying to raise my 13 year old daughter. My depression, anxiety has only got worse since the pandemic and help is not there either.
Why does it feel Canada is falling apart? Sigh, just looking for advice/help to recover from this giant avalanche that the CRA site has caused.