Canadian Underwriter
News

Canadian government named in class-action privacy breach lawsuit


September 3, 2020   by Greg Meckbach


Print this page Share

The federal government is facing a proposed class-action lawsuit over data breaches earlier this year affecting thousands of users of online service users.

Criminals were able to get the user names and passwords of 9,041 users of GCKey, the federal government announced in August. GCKey lets people access multiple federal government services – including Employment and Social Development Canada’s MyService Canada Account – over the Internet.

In response to the breach, Vancouver-based law firm Murphy Battista LLP is proposing a class action. The proposed class is all persons whose personal or financial information in their federal Credential Service account or their Canada Revenue Agency account was disclosed to a third party on or after Mar. 15, 2020.  Murphy Battista lawyers Angela Bespflug and Janelle O’Connor filed the statement of claim Aug. 24. Three representative plaintiffs are named.

Among the allegations contained in the statement of claim are that Canada Revenue agency failed to notify victims of the breach and the general public in a timely manner that people’s personal and financial information had been compromised. The statement of claim also alleges the government failed to take reasonable steps when it knew or ought to have known that cyber security incidents were taking place.

Allegations against the government contained in the statement of claim have not been proven in court. A court must first agree to certify a class before it can establish the facts and judge the merits of the claim.

For its part, the government said Aug. 15 it has “robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.”

The class action lawsuit alleges the personal and financial information of the plaintiffs were disclosed to a third party. That information includes social insurance numbers (“SIN”), annual tax returns, banking information, family information, disability benefit information, and home addresses.

The causes of action include obligations under the federal Privacy Act, as well as the common law duty and care in the collection, retention and disclosure of people’s personal and financial information. Another head of damage is the controversial new tort “intrusion upon seclusion,” which was first established in Ontario in 2012. The tort essentially recognizes significant invasions of privacy.

Related: Canada Revenue Agency suspends online services after cyberattacks

In the lawsuit filed against the federal government Aug. 24, 2020, the plaintiffs did not put a specific dollar value on damages in the claim filed in court. They did however identify a number of heads of damage, including costs incurred in preventing identity theft, damage to credit reputation, mental distress, and time the plaintiffs lost in notifying parties such as credit card providers.

Canada has seen “an explosion in privacy class actions over the last number of years,” David Fraser, Halifax-based privacy lawyer for McInnes Cooper, told Canadian Underwriter earlier.

In the event of a privacy breach, an organization could be sued for negligence, breach of confidence, breach of fiduciary duty, or breach of contract, Fraser said at the time, commenting in general on cyber risk and not on any specific case.

The federal government announced Aug. 15 that of about 12-million active GCKey accounts, the passwords and usernames of 9,041 users were acquired fraudulently. Criminals used those credentials to try and access government services. A third of those did access such services “and are being further examined for suspicious activity,” the government said at the time.

As part of that GCKey attack, and a separate “credential stuffing” attack,  about 5,500 Canada Revenue Agency accounts were targeted.

The government defines “credential stuffing” as attacks that use passwords and usernames collected from previous hacks of other attacks, taking advantage of the fact that many people reuse passwords and usernames across multiple accounts.

Feature image via iStock.com/Olena_T


Print this page Share

2 Comments » for Canadian government named in class-action privacy breach lawsuit
  1. Suzanna calhoun says:

    Well as someone sitting on hold with the Cra as I wright this post….this is my 200th hour. And weeks of waiting I have lost my child tax credit all my credit cards debit card. And bank accounts. They won’t talk to us and finally today the lottery smiles and I finally got a reference number to call in. They have stolen my whole life and I have bene reduced to selling My belongings to feed my kids. They don’t care about us and in a time when we’re supposed to be in this together. This sucks and I’ve cried everynight since this has happened. I’m so let down buy my government. That’s my opinion on what’s happening. Once they stole my information they stole my life. Is there an amount of money that’s gonna fix my pride, self worth and humanity that goes with having everything in your world taken buy identity thieves? My names sue.

  2. Lorraine says:

    These breaches occurred long before August 2020!!!! I think I know exactly when and how this occurred!

    I am submitting an Access to Information and Personal Information Request to CRA under the Access to Information Act and the Privacy Act.

    I encourage everyone who has been affected by this breach to do the same!

Have your say:

Your email address will not be published. Required fields are marked *

*