The federal government showed “a callous disregard” for the rights of thousands of Canadian taxpayers whose personal and financial information was compromised in a series of cyberattacks against Canada Revenue Agency’s online services, a proposed class-action lawsuit alleges.
Anne Campeau, a resident of South Woodslee, Ont., was one of the victims who had her information stolen. It was then used on Aug. 6 to fraudulently apply for two payments of the Canada Emergency Response Benefit (CERB), totalling $4,000.
Campeau, a police dispatcher with the city of Windsor, was never even eligible for CERB, since she was never out of work during the pandemic.
On Aug. 10, the 52-year-old was puzzled when she received an email from Canada Revenue Agency (CRA) notifying her of a new message in her account. She logged into her account and found no trace of the message, but later noticed her direct deposit details had been changed to a bank account in Quebec. The email address associated with her account had also been changed.
The proposed class-action lawsuit filed at the Federal Court in Vancouver on Aug. 24 is on behalf of “all persons whose personal or financial information in their [GCKey] account or their Canada Revenue Agency account was disclosed to a third party on or after March 15, 2020.”
That’s the date when millions of Canadians put out of work because of the pandemic became eligible to receive CERB payments. The Canada Emergency Student Benefit (CESB) was created two months later, on May 10.
Plaintiffs allege that “the online application system for the CERB and CESB programs was implemented hastily,” and that Canada did not take appropriate steps to protect taxpayers’ personal and financial information.
On August 15, the Treasury Board of Canada Secretariat announced in a press release that more than 14,500 GCKey and CRA accounts had been hacked in a series of cyberattacks, exposing thousands of Canadians’ social insurance numbers, home addresses, banking details and tax information.
“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the press release explained.
Campeau says her password was “so obscure that nobody would’ve been able to guess it.” She says her line of work has made her very protective of her personal information because she’s seen firsthand what can happen to people whose identities are stolen.
Individuals who have been affected are going to have to monitor their credit indefinitely going forward.Angela Bespflug, Murphy Battista LLP
“The possibilities of how that information could be used are endless,” agreed lawyer Angela Bespflug from Murphy Battista LLP, the Vancouver-based firm pursuing this action.
“The scary thing about this type of attack, with such personal information, is that individuals who have been affected are going to have to monitor their credit indefinitely going forward,” she said, noting that some victims of the data breaches are students eligible for the CESB program.
“They’re 18, 19, 20… and they’re going to have to monitor their credit for the rest of their lives, really.”
To add insult to injury, some of the people whose information was compromised saw their CERB or CESB payments suspended pending investigation, which means they couldn’t access money they desperately needed in these hard times.
CRA “was alerted”
Federal government officials explained in an Aug. 17 press conference that the first of three cyberattacks happened 10 days earlier, on Aug. 7. The “credential stuffing” attacks allowed the perpetrators to access usernames and passwords for 9041 GCKey accounts, which can be used to access roughly 30 federal departments’ services.
Annette Butikofer, assistant commissioner of the information technology branch and Chief Information Officer at the CRA said the RCMP was notified of this first attack four days after the fact, on Aug. 11. A few days later, a second attack targeted 2,200 more accounts.
Watch: Here’s what officials said about the CRA cyberattacks in an Aug. 17 press conference. Story continues below.
It’s only after a third attack that CRA suspended their “My Account,” “My Business Account” and “Represent a Client” online services.
But according to the proposed lawsuit, taxpayers advised CRA their accounts had been breached as early as mid-March. “Yet the CRA failed to take reasonable steps to prevent further harm to the plaintiffs and other Class Members,” court documents read.
The CRA “knew, or ought to have known, that their online application system for CERB and CESB was vulnerable to cyber security incidents, and the defendant failed to take reasonable and adequate measures to protect the personal and financial information of the [affected users] both before and after launching the online CERB and CESB programs,” the lawsuit claims.
This leads Bespflug to believe the number of people affected by the data breaches could be higher than the 11,200 estimated by CRA. “We’re definitely aware of people who were affected and whose personal and financial information was compromised who were not advised by CRA,” she said, adding that it’s possible the full ramifications of the cyberattacks aren’t yet known at this time.
“But certainly, every day, we’re learning of more and more people who have been affected,” the lawyer said.
The CRA refused to comment on the allegations of negligence, breach of privacy, breach of confidence, and reckless intrusion upon seclusion in the handling of the recent cyberattacks, citing the ongoing RCMP investigation and court proceedings.
“The safety and security of Canadians, and their information, is a priority for Canada Revenue Agency. We are continuing to work with our government counterparts to respond to this cyberattack and cooperating with the RCMP in its ongoing investigation,” CRA spokesperson Christopher Doody told HuffPost Canada in an email.
“The CRA understands the frustrations caused by scammers and is committed to taking action to assist those who may have been targeted in these recent cyber attacks,” he added.
Since she found out her account had been breached, Campeau says she has spent roughly six hours on the phone with CRA, to make sure she wouldn’t be on the hook to pay taxes on the fraudulent CERB payments she did not receive. She says she still hasn’t heard anything from the CRA regarding the data breach and its implications for her future dealings with the department.
She took it upon herself to protect her credit, notifying monitoring agencies Equifax and Transunion, as well as any institutions where she holds bank accounts, credit cards or a mortgage. She’s also signed up for various credit monitoring services, which could cost her a few hundred dollars every year.
I just know that my information is floating around on the dark web and I am not impressed with that.Anne Campeau, identity theft victim
It’s for that kind of stressful and costly step, among other things, that the proposed class action lawsuit is seeking compensation, as well as any CERB or CESB amounts owed to the victims of fraud.
The lawsuit also mentions that Quebec residents could be entitled to further compensation under dispositions of the Civil Code of Québec and the province’s Charter of Human Rights and Freedoms.
But even if the lawsuit goes forward and is successful, it could take years for those affected to get a dime, since the proceedings take time.
In the meantime, Campeau is plagued by the uncertainty of it all. She doesn’t know who has access to her personal information and, by extension, her spouse’s, because they file taxes jointly.
“I just know that my information is floating around on the dark web and I am not impressed with that,” she said. “I can retire in a couple of years. I don’t want to be retired and all of a sudden start getting calls that I’ve defaulted on credit cards that I don’t own.”