Hackers stole CERB benefits of at least 12,700 Canadians, alleges class-action lawsuit

A retired police officer from B.C. is leading the class action lawsuit against the Government of Canada after he claims he was among thousands of Canadians victimized by hackers

A certified class-action lawsuit against the Canadian government alleges hackers redirected pandemic relief payments from citizens to third-party bank accounts | Photo: Andriy Onufriyenko/Moment/Getty Images

A class action against the Canadian government for alleged negligence in the hacking of thousands of Canadians' financial information will proceed after a federal court certified the lawsuit.

Todd Sweet, a retired police officer living in Creston, B.C., took the Government of Canada to court as a representative plaintiff in the class action after hackers are said to have changed the direct deposit information of at least 12,700 Canadians. The suit claims hackers redirected pandemic relief payments to third-party bank accounts. 

Sweet alleges that in the summer of 2020, he logged on to his Canada Revenue Agency (CRA) online account to discover an unauthorized individual had applied for the Canada Emergency Response Benefit (CERB) — the federal government's flagship pandemic financial assistance program to help out of work Canadians through the COVID-19 pandemic. 

The class action states Sweet is one of likely thousands of Canadians who were vulnerable to hackers from June to August 2020. 

The failure, alleges the judge-certified court filing, stems from a Government of Canada Branded Credential Service Key, or GCKey. 

Built by 2Keys Corporation, the GCKey controls access to 100 enabled services across 30 government departments, including Parks Canada, the RCMP, and Immigration, Refugees and Citizenship Canada.

The CRA — which is named in the case with Employment and Social Development Canada — does not use GCKey and relies on another two-step authentication process.

But by using the My Service Canada Accounts as a back door to a user's online CRA account, hackers could avoid answering security questions in what's known as a "credential stuffing attack," alleges the class action.

Justice Richard F. Southcott, who certified the class action lawsuit late last week, noted in his ruling that such tactics often make use of stolen credentials sold on the Dark Web and are carried out by bot systems automatically filling in log-in details on multiple accounts at once.

Once a hacker was inside the CRA account, the plaintiffs say they were able to steal a person's identity and apply for CERB benefits.

Southcott said the CRA became aware of several such attacks in the summer of 2020 after it was tipped off by law enforcement that noticed the Dark Web sales. By Aug. 5, 2020, 2Keys told the government it had determined several login anomalies were a large-scale attack on the GCKey service.

The tax agency fixed the security flaw around Aug. 10, 2020, but not before at least 48,110 My Accounts were accessed by a "threat actor." Of those, the hackers changed the taxpayers' direct deposit banking details and applied for CERB benefits.

The hackers are alleged to have gained access to "Social Insurance Numbers, direct deposit banking information, tax information, dates of birth, records of employment, information regarding employment insurance, and other benefits information," states the lawsuit.

On the way to having the class action lawsuit certified, Murphy Battista LLP suffered its own data breach, potentially comprising their clients' information a second time. 

Sixteen months later, Vancouver attorney Rice Harbut Elliott LLP took on the case, and the class action was eventually certified in a Vancouver federal court last week.

In court documents, Sweet claims he and other members of the class action have:

  • had money withdrawn from their bank accounts;
  • had loans applied for in their names;
  • faced credit card fraud;
  • had their credit reputation damaged;
  • not been able to access benefits they were entitled to;
  • faced out-of-pocket expenses;
  • and suffered mental distress as they communicated with credit and federal agencies to address the data breaches.

In certifying the class action, Justice Southcott assessed the admissibility of a body of evidence, including expert reports and several news stories about taxpayers dealing with CERB fraud. 

The class action claims the federal government of systematic negligence and breach of confidence, among other failings. 

It states that the online application for pandemic relief programs — while "an admiral goal," according to Sweet — was "implemented hastily and recklessly without taking necessary precautions" and that the government "ought to have known that its databases and online systems were vulnerable to unauthorized breaches."

Having certified the class action, the defendants' next step is to sign up more of the thousands of potential members to the suit. 

Southcott ruled that anyone with a Canadian government Online Account who had their financial information disclosed to a third party between March 1 and Dec. 1, 2020, may join the suit.

The justice excluded all the people who contacted the original law firm from joining in the upcoming litigation.