In recent years, privacy breaches have become all too common, with governments and private organizations experiencing cyberattacks and data breaches that compromise the personal information of millions of individuals. In this blog post, we delve into the specific case of the Government of Canada’s privacy breach and the resulting class action lawsuit. We will discuss the details of the breach, its implications, and how this incident highlights the importance of data protection measures by governmental bodies.


  1. Understanding the Government of Canada Privacy Breach:

In August 2020, the Government of Canada confirmed a significant privacy breach that affected thousands of Canadians. The breach occurred within the Canada Revenue Agency’s (CRA) online platform, which is used by individuals to file their taxes and access their personal information.


The CRA discovered that cybercriminals had exploited a vulnerability in the platform’s website security, allowing them unauthorized access to user accounts. By using previously stolen credentials from other sources, hackers were able to gain entry to the CRA system and access sensitive personal information, such as social insurance numbers, names, and addresses.


Approximately 5,500 CRA accounts were compromised, and the personal information of approximately 9,041 individuals was accessed without authorization. This breach was a concern for affected individuals, as their personal and financial information was potentially exposed.


The government took immediate action to address the situation. The website was shut down temporarily to fix the vulnerability, and Canadians were urged to monitor their financial accounts for any suspicious activities. Those affected were notified directly by the CRA, and steps were taken to enhance security measures to mitigate the risk of future breaches.


The privacy breach sparked public outrage and raised questions about the security of government online platforms. It also highlighted the ongoing challenge of protecting personal information in the digital age, with cybercriminals becoming increasingly sophisticated in their methods.


The incident prompted the government to launch investigations into the breach, involving the Royal Canadian Mounted Police (RCMP) and the Office of the Privacy Commissioner of Canada. The findings of these investigations would bear potential implications for the security and privacy practices of government departments and agencies.


Overall, the government has acknowledged the seriousness of the privacy breach and has committed to strengthening security measures further to ensure the protection of Canadians’ personal information in the future.

  1. Who is Affected by the Government of Canada Privacy Breach in 2020:

Your government online account can only be accessed via the GCKey, a standards-based authentication service. Its purpose is to provide Canadians with secure access to online information. It is a unique and anonymous credential that protects communications with online government programs and services. The cybercriminals accessed the accounts via the GCKey. 

Many who were affected by the privacy breach had direct deposit banking information changed on their accounts without their permission. Their accounts then applied for the Canada Emergency Response Benefit (CERB) fraudulently. Most received notice of the account changes via email but at that point, it was too late. The privacy breach had already occurred. 


Every affected person whose government online account was accessed between March 1 and December 2020 by the GCKey is automatically included in the class action. 

If any affected person wishes to opt out, you can do so by emailing the class action counsel, and no outcome, good or bad, would be applied. 


  1. Future Precautions:

Here are some recommendations for both the Government of Canada and individuals on best practices for data protection, focusing on ongoing monitoring, encryption, and proactive cybersecurity measures:




  1. Use strong, unique passwords: Create complex passwords for all online accounts, and avoid reusing passwords between different platforms. Consider using password managers to generate and store passwords securely.


  1. Enable two-factor authentication (2FA): Enable 2FA whenever possible to add an extra layer of security to online accounts, requiring an additional verification method during login.


  1. Regularly update software and devices: Keep operating systems, applications, and devices up to date with the latest security patches and updates to protect against known vulnerabilities.


  1. Be cautious of phishing attempts: Be vigilant and skeptical of unsolicited emails, messages, or phone calls that request personal information or contain suspicious links. Avoid clicking on unknown links and verify the authenticity of communication before providing sensitive data.


  1. Encrypt sensitive data: Utilize encryption tools for sensitive data, such as financial information or personal documents, to protect it from unauthorized access.


  1. Backup important data: Regularly backup critical data to an external storage device or cloud service, ensuring that it is securely stored and easily recoverable in case of data loss or compromise.


  1. Install reputable security software: Use reliable antivirus and anti-malware software to protect devices from known threats and regularly update them for the latest protection.


  1. Stay informed: Stay updated with the latest cybersecurity news, trends, and best practices to enhance personal data protection knowledge and adapt to emerging threats.


Government of Canada:


  1. Implement a comprehensive data protection policy: Develop and enforce a strong policy framework that outlines the standards, guidelines, and procedures for data protection within the government sector.


  1. Conduct regular risk assessments: Continuously assess the potential risks and vulnerabilities to data security, identifying areas for improvement and taking proactive measures to address issues.


  1. Implement robust encryption methods: Utilize strong encryption algorithms to protect sensitive data, both at rest and in transit, ensuring that all communications and storage systems are adequately encrypted.


  1. Emphasize employee training and awareness: Conduct regular training sessions to educate employees about data protection best practices, such as identifying phishing attempts, keeping software up to date, and adhering to password requirements.


  1. Establish strict access controls: Implement a role-based access control system to restrict access to sensitive data, ensuring that employees only have the access privileges required for their job roles.


  1. Regularly update and patch systems: Frequently update software and hardware, including security patches, to mitigate possible vulnerabilities and protect against emerging threats.


  1. Conduct ongoing monitoring and incident response: Continuously monitor networks, systems, and applications, leveraging security information and event management (SIEM) tools to detect and respond to any potential security incidents promptly.


By following these recommendations, both the Government of Canada and individuals can strengthen their data protection practices, mitigate risks, and enhance cybersecurity measures.


  1. Implications for Affected Individuals:

The Government of Canada holds a significant amount of personal information, ranging from social insurance numbers to healthcare records. With such data potentially falling into the wrong hands, the implications for affected individuals can be severe.


  1. Loss of Personal Information: Affected individuals may face the loss or compromise of their personal information, such as names, addresses, social insurance numbers, or financial details. This breach can lead to identity theft, fraud, or other malicious activities.


  1. Financial Consequences: In some cases, the data breach may result in financial losses for affected individuals. Cybercriminals can utilize stolen information to initiate unauthorized transactions, open fake accounts, or perform fraudulent activities, causing financial harm to victims.


  1. Reputational Damage: Privacy breaches, especially those involving government entities, can result in reputational damage for both the affected individuals and the government. Such incidents may erode public trust and confidence in the government’s ability to safeguard personal information.


  1. Emotional Stress: Privacy breaches can cause significant emotional distress for affected individuals, who may feel violated or anxious due to the potential misuse of their personal data. Dealing with the aftermath of a breach, such as cancelling cards, changing passwords, or dealing with identity theft, can also be emotionally exhausting.


  1. Increased Vulnerability: Once personal information is compromised, affected individuals may be at higher risk for future cyberattacks or data breaches. This is because cybercriminals tend to sell or share stolen data within their networks, making individuals susceptible to further privacy breaches or identity theft.


  1. Role of the Government in Data Privacy:

The Canadian government has made several efforts to prevent privacy breaches and enhance data protection measures. One significant step taken was the enactment of the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000. PIPEDA sets out rules for collecting, using, and disclosing personal information in the course of commercial activities.

Under PIPEDA, organizations are required to obtain individual consent to collect, use, or disclose personal information, and must take appropriate security measures to protect this information. The government also established the Office of the Privacy Commissioner of Canada (OPC) as an independent agency responsible for overseeing compliance with PIPEDA and promoting privacy rights.

The OPC has been actively working to ensure data protection through various means. They conduct investigations and audits to identify and remedy privacy concerns, issue guidelines and best practices for organizations, and educate individuals on privacy rights and responsibilities. Additionally, the OPC engages in research, policy development, and advocacy to enhance privacy protection.

In recent years, the Canadian government has recognized the need to strengthen data protection measures further. In 2018, Canada introduced the Digital Privacy Act to amend PIPEDA and enhance privacy provisions. These amendments introduced mandatory breach notification requirements, increased fines for non-compliance, and clarified rules on cross-border data transfers.

The effectiveness of current data protection measures in Canada is still evolving. The introduction of mandatory breach notification has helped in increasing awareness and addressing privacy breaches promptly. However, there are ongoing debates about the adequacy of fines and penalties for non-compliance, as well as concerns regarding the enforcement powers and resources of the OPC.

While the Canadian government has taken significant steps to protect privacy, there is always room for improvement in a rapidly evolving digital landscape. Ongoing efforts should focus on strengthening compliance mechanisms, ensuring meaningful consent, and continuously updating privacy laws to keep pace with technological advancements and emerging risks.

In the wake of this class action, questions arise regarding the government’s responsibility to safeguard citizens’ data. 


  1. Class Action Lawsuit:


A class action lawsuit has been initiated by Todd Sweet and HRE Law against the CRA and the government of Canada. The plaintiffs allege that the defendants were negligent in safeguarding the confidential information of Canadians, leading to widespread privacy breaches. 

Some residents received notices of the breach between March 1 and December 31, 2020. Todd Sweet claims that inadequate safeguards allowed cybercriminals to access Canadians’ online accounts without their consent, view confidential and private details and in many cases, apply for the Canada Emergency Response benefits. 

Class actions play a crucial role in ensuring accountability and compensation for individuals impacted by privacy breaches in Canada. Here are some key points outlining their importance:


  1. Consolidated Legal Actions: Class actions allow numerous individuals who have been affected by a privacy breach to join forces and bring a collective legal action against the responsible party. This consolidation of plaintiffs strengthens their position in seeking justice and holds the defendant accountable for their actions.

  1. Access to Justice: Privacy breaches can harm a large number of individuals who may lack the financial resources to pursue individual lawsuits. Class actions provide a cost-effective means for those impacted to seek compensation, as legal fees and expenses are shared among the entire class.

  1. Deterrence: Class actions act as a deterrent to organizations or entities engaging in privacy breaches. By facing the potential for significant financial liability, companies are encouraged to implement robust privacy protection measures to avoid breaches that could lead to legal action.

  1. Compensation: Class actions ensure that affected individuals have an opportunity to be adequately compensated for the harm suffered due to a privacy breach. This compensation may cover direct financial losses, as well as damages for emotional distress, reputational damage, or other non-economic losses.

  1. Behavioural Changes: Successful class actions can bring systemic changes to organizations’ practices regarding privacy and data protection. Holding businesses accountable for their actions through court decisions or settlements can lead to stronger safeguards, policies, and protocols to protect individuals’ personal information.

  1. Transparency and Public Awareness: Class actions shed light on privacy breaches, making the general public more aware of the risks and consequences associated with improper handling of personal data. These lawsuits often receive media attention, leading to increased scrutiny and discussion around privacy issues, which further emphasizes the importance of privacy protection.

The Government of Canada privacy breach class action lawsuit serves as a reminder of the constant threats to our personal data and the significance of strong privacy protection measures. By shining a light on this case and addressing its implications, we hope to emphasize the importance of robust cybersecurity practices in the public sector and empower individuals to safeguard their own personal information.