May 21, 2026 A new class action settlement tied to Canada Revenue Agency accounts is drawing widespread attention across the country as Canadians look into whether they may be eligible for compensation. The settlement allows eligible individuals to claim up to $5,000, but only if they can prove specific out-of-pocket losses connected to a 2020 data breach involving federal online accounts.
The case stems from a wave of credential stuffing attacks that targeted Government of Canada systems between March and December 2020. These attacks used stolen usernames and passwords from other breaches to gain unauthorized access to accounts, including CRA accounts, My Service Canada accounts, and others accessed through GCKey.
The lawsuit, formally known as Sweet v. His Majesty the King, was brought forward after those attacks led to unauthorized access to personal and financial information. In some cases, the breach also resulted in fraudulent activity, including misuse of government benefits tied to compromised accounts.
The settlement has now been approved by the Federal Court, with reports indicating the federal government will pay $8.7 million to resolve the claims. However, officials have made it clear that this is not a blanket payout for all Canadians. Eligibility is tightly defined, and compensation depends on the level of impact and the ability to provide supporting documentation.
To qualify, individuals must have had their information accessed without authorization during a specific window between June 15 and August 30, 2020 and must show that their data was either accessed or used fraudulently. In addition, eligible claimants are expected to have received notice from the settlement administrator and must be able to support the type of claim they are making.
The structure of the settlement reflects this tiered approach. Smaller claims are available for time spent dealing with account access issues or fraud, capped at $80 and $200 respectively. The largest category, the one attracting the most attention, comes from a Special Compensation Fund, which offers reimbursement of up to $5,000.
But that headline number is not automatic. It is reserved for individuals who can demonstrate actual financial losses tied directly to the breach. These may include unreimbursed fraud charges, identity theft recovery costs, or fees associated with credit monitoring and freezes. Claimants will need to provide documentation such as bank statements, invoices, or correspondence with financial institutions to support their claims.
The settlement also makes clear that payouts may be reduced depending on the total number of claims submitted. This means even eligible applicants may receive less than the maximum amounts advertised.
Importantly, the Government of Canada has denied wrongdoing as part of the agreement. The settlement is described as a compromise of disputed claims rather than an admission of liability.
The renewed attention around the case follows the court’s approval in May 2026, but there is still some uncertainty around the claims process. Official pages and the KPMG settlement administrator site continue to reference the approval stage, meaning Canadians are being urged to verify instructions carefully before submitting any personal information.
That caution is especially important given the risk of scams. Settlements tied to government agencies and financial data often attract fraudulent messages promising quick payouts. Officials warn Canadians to avoid any unsolicited communications that request sensitive information, promise guaranteed payments, or require upfront fees.
Instead, affected individuals are encouraged to rely only on official settlement communications and verified channels. The process is expected to include direct notifications to eligible class members outlining how to submit claims and what documentation is required.
