Class action on Canada Revenue Agency data breach certified by Federal Court of Canada

Suit claims 'operational failures' let hackers grab personal and financial information of thousands

Class action on Canada Revenue Agency data breach certified by Federal Court of Canada

A Federal Court of Canada judge has certified a class action alleging that data breaches allowed hackers to access thousands of Canadians’ personal and financial information through Government of Canada websites.

Federal court judge Richard Southcott wrote in Todd Sweet v. Her Majesty the Queen that “the plaintiff’s action meets the goals that animate class proceedings,” pointing out that certifying the class achieves “judicial economy.” There “are at least some aspects of the litigation that can be advanced in common and therefore will not require repetition” multiple times, he ruled.

“I am satisfied there is a basis in fact to conclude that a class proceeding is the preferable procedure for the just and efficient resolution of the common questions in this matter.”

Anthony Leoni, a partner at Rice Harbut Elliott LLP, representing plaintiffs in the class action, welcomed the decision, saying: “Although certification is not a determination of the merits of the action, the plaintiffs are pleased that the court certified essentially all of the common issues that were proposed.” This decision “is an important first step in holding government defendants accountable if they fail to take reasonable steps.”

He adds that over the last few years, “there have been conflicting decisions at the certification stage with respect to the potential liability of ‘database defendants’ for claims relating to negligent conduct in securing online portals.”

This decision “is consistent with previous decisions from the Federal Court, British Columbia Courts and some Ontario judges, and confirms that on a pleadings analysis, there can be a cause of action against a defendant for failing to secure databases even where there is a third-party bad actor is involved.”  

Justice Southcott also appointed plaintiff Todd Sweet, resident of Clinton, British Columbia, as the proposed class representative for the proposed class proceeding. Sweet claims that in July 2020, he logged into his Canada Revenue Agency account after receiving emails notifying him that his email address had been removed from his account.

Sweet also discovered that his direct deposit information had been changed on June 29, 2020, using his account. “An unknown and unauthorized individual had made four applications for the Canada Emergency Response Benefit [CERB], a program initiated by the Government to provide financial assistance to qualifying Canadians during the COVID-19 pandemic.”

The Government of Canada is named as the defendant, including the Minister of National Revenue of Canada (responsible for the CRA) and the Minister of Families, Children, and Social Development, responsible for Employment and Social Development Canada programs.

The claim alleges that Sweet and the other class members suffered damage that includes:

  • costs incurred in preventing identity theft
  • identity theft; increased risk of future identity theft
  • damage to credit reputation and mental distress
  • money withdrawn from their bank accounts without their consent
  • loans applied for in their names without their consent
  • credit card fraud
  • inability to access benefits and payments to which they were entitled
  •  out-of-pocket expenses
  • time lost in communication with the CRA, ESDC and other Crown agencies to address the data breaches
  • and time lost in precautionary communications with third parties such as credit agencies to inform them of the potential that personal and financial information may have been compromised.

The representative plaintiff is one of the thousands whose online government accounts were vulnerable to hackers from approximately June to August 2020. They had CRA accounts, My Service Canada Accounts, and other online accounts accessed via the Government of Canada Branded Credential Service Key (GCKey). The plaintiffs alleged “operational failures” by the Canadian government to properly secure the portals providing access to these accounts.

My Account allows Canadian taxpayers to access CRA’s services online and manage their tax affairs. Taxpayers can access My Account in three different ways: through CRA’s Credential Management System; through a sign-in partner such as using a bank card; or through a BC Services Card. Only the first of these methods was affected by the data breaches that are the subject of this action.

Registering for My Account using CRA’s CMS involves an individual taxpayer creating a CRA user ID and password, as well as selecting five security questions and creating answers to those questions, following which CRA provides the taxpayer with a security code to be used to complete the registration process. The taxpayer can then view detailed tax information, including the status of tax returns, notices of assessment and reassessment, RRSP deduction limits, TFSA contribution room, and tax information slips, as well as personal information, including addresses, telephone numbers, direct deposit banking information, marital status, and children in the taxpayer’s care. The taxpayer can also apply for CERB and other benefits through My Account.

ESDC also maintains an online portal, My Service Canada Accounts, which individuals can use to access several programs such as Employment Insurance, Canada Pension Plan and Old Age Security. Users can register for and subsequently access their MSCA through three methods:

  • Using a GCKey credential
  • Using a sign-in partner
  • Using a provincial digital identification in Alberta or British Columbia

Only the first of these methods, using GCKey, was affected by the data breaches that are the subject of this action.

The federal court was told that there was unauthorized activity on Sweet’s CRA account in June, July, and August 2020. This includes his account being accessed on June 29, 2020, using a valid username and password, “without any signs of brute force attack or password guessing, as well as a correct answer to the randomly selected security question after only one failed attempt.”

The user accessing the account then modified the security questions and answers, likely to maintain continued access to the account, deleted the email address on file, changed the direct deposit information, and applied for four periods of CERB.

Sweet alleges that, by obtaining unauthorized access to those accounts, hackers were able to commit identity theft and CERB fraud by accessing sensitive and personal information – Social Insurance Numbers, direct deposit banking information, tax information, dates of birth, records of employment, information regarding employment insurance, and other benefits information.

The plaintiffs allege the federal government’s GCKey and CRA My Account profiles were subject to what cybersecurity experts describe as a “credential stuffing” attack. The hackers targeted CRA and ESDC to fraudulently apply for COVID relief benefits (CERB and the Canada Emergency Student Benefit) introduced in spring of 2020.

“Credential stuffing” is a form of cyber attack that relies on using one system’s stolen credentials (username and password) to attack another and gain unauthorized access to an account. This attack relies on reusing the same username and password combinations by people over several services. Threat actors sell lists of credentials on the Dark Web.

Credential stuffing usually refers to the attempt to gain access to many accounts through a web portal using an automated bot system rather than manually entering the credentials. “In July 2020, CRA’s My Account experienced large numbers of failed logins, which have since been identified as a precursor to, or otherwise part of, a credential stuffing attack against that service.”

Justice Southcott’s decision outlined how a “threat actor” attempting to access a particular My Account through credential stuffing would typically have to successfully answer one of the five security questions selected by the user. However, during the attack in the summer of 2020, the threat actor “was able to bypass the security questions and access My Account because of a misconfiguration in CRA’s credential management software,” Justice Southcott wrote.

CRA learned of this method to bypass the security questions on August 6, 2020, when it received a tip from a law enforcement partner that such a method was being sold on the Dark Web. Among other steps taken to respond to the data breach, CRA subsequently identified the relevant misconfiguration in its software, which it remedied on or about August 10, 2020.

In the meantime, at least 48,110 My Accounts were impacted by the unauthorized use of credentials, meaning that the threat actor was able to enter a valid CRA user ID and password. Of those 48,110 My Accounts, 21,860 involved no progress by the threat actor beyond entering the ID and password, such that the threat actor did not access the accounts.

“This is potentially understood as a stage of the attack in which the threat actor was ensuring that the credentials worked,” Justice Southcott wrote in his decision, adding the hacker logged in to 26,250 My Accounts. In 13,550 of the My Accounts, although the security question bypass was used, the hacker only viewed the homepage, meaning that some personal information was accessed, but no application was submitted for CERB. “In 12,700 of the My Accounts, the threat actor changed the relevant taxpayer’s direct deposit banking information and fraudulently applied for CERB.”

Similarly, he wrote the evidence indicates that the data breach potentially impacted 5,957 accounts across several ESDC services. This includes 3,200 compromised My Service Canada accounts used to access CRA My Accounts via the link between MSCA and CRA, 1,200 of which were used to apply for CERB or other COVID-related benefits.

The government raised several arguments supporting its position that the plaintiff’s pleadings do not disclose a reasonable cause of action in systemic negligence. One is that the plaintiff failed to plead any facts to support a relationship of proximity necessary to establish a prima facie duty of care.

However, Justice Southcott ruled in favour of the plaintiff’s argument that the requisite proximity, in this case, arises from the relationship between government entities who have offered online access to data and individuals who have availed themselves of that access. “In my view, this is a reasonably arguable position,” he wrote.

In arguing against certification, the federal government argued that Sweet “is not an appropriate representative, arguing that he does not have a basis for a claim against the Defendant and that his claim is not representative of the claims of the proposed class members.”

However, Justice Southcott wrote in his decision: “There is clearly a basis in fact, relying even on the defendant’s evidence, to conclude that the plaintiff’s CRA My Account was accessed without authorization in the summer of 2020 and that he therefore falls within the class definition.”

He went on to write that “to the extent there may be differences, as between the plaintiff and other class members, as to the circumstances under which an account was breached or the mechanisms employed to accomplish such breach, I am not convinced that such differences would undermine the plaintiff’s ability or motivation to fairly and adequately represent the interests of the class.”

The judge added that the government “may be able to rely on this evidence at a future stage in the proceeding in an effort to argue either that the defendant is not liable to the plaintiff or that there are aspects of other class members’ claims which differ from those of the plaintiff.”

In this case, Justice Southcott ruled that the class is “all persons whose personal or financial information in their Government of Canada online account was disclosed to a third party without authorization between March 1, 2020, and December 31, 2020,” with specific exclusions.

“Excluded Persons” includes all who contacted Murphy Battista LLP, the former law firm in this case, with Federal Court file number T-982-20, before June 24, 2021. That is because, in early April 2021, Murphy Battista LLP experienced its own data breach, in which unauthorized parties could gain access to the firm’s networks.

The federal government subsequently brought a motion to stay this action, arguing the Federal Court lacks the jurisdiction to hear a third-party claim that the defendant intended to pursue in relation to any members of the proposed class who may have had their information compromised in both the government data breaches and the law firm data breach.

However, Rice Harbut Elliott replaced Murphy Battista and, in opposing the defendant’s stay motion, prepared pleading amendments intended to narrow the proposed class and the scope of its claim to exclude those who contacted Murphy Battista about this class action. This led to a draft third amended statement of claim, which also proposed replacing the previous class representatives with Sweet as the representative plaintiff.

Related stories