Last Updated On 8 June 2026, 8:03 PM EDT (Toronto Time)
Thousands of Canadians whose CRA My Account or My Service Canada Account was compromised during the 2020 credential stuffing attacks are now weeks away from being able to file for compensation under a court-approved $8.7 million class action settlement.
The Federal Court approved the settlement on May 5, 2026, and the claims portal administered by KPMG is expected to go live this summer once the 60-day appeal window closes without a challenge.
Eligible class members will then have a six-month filing window to submit their claims and could receive combined payouts of up to $5,280 depending on how severely they were affected by the breach.
This guide explains the latest portal timeline, who qualifies, how much you can claim under each compensation tier, how to check your eligibility right now, and how to protect yourself from settlement-related scams that are already circulating across Canada.
Table of Contents
What Happened In The CRA My Account Breach Settlement Case
Between June 15 and August 30, 2020, hackers launched coordinated credential-stuffing attacks against Government of Canada online accounts accessed through the GCKey sign-in page and the CRA login services page.
Credential stuffing is a cyberattack method where criminals use usernames and passwords stolen from unrelated data breaches to attempt logins on government and financial platforms.
More than 47,000 Government of Canada online accounts were compromised during this period, exposing sensitive personal and financial information, including social insurance numbers, home addresses, and banking details.
In many cases, hackers used the stolen account access to file fraudulent applications for the Canada Emergency Response Benefit and the Canada Emergency Student Benefit during the early months of the COVID-19 pandemic.
Some victims discovered unauthorized changes to their direct deposit information, meaning legitimate benefit payments were redirected to accounts controlled by the attackers.
The affected accounts included CRA My Account, My Service Canada Account, and any other federal online accounts accessed using GCKey, which is the same portal used by Canadians to manage CPP payments, CPP and OAS payments, and other federal benefits.
Who Qualifies For The CRA Data Breach Settlement
The official settlement notice published by the Government of Canada confirms that eligibility is limited to a specific group of affected individuals.
You are a class member if your personal or financial information in a Government of Canada online account was disclosed to a third party without authorization between March 1 and December 31, 2020.
However, compensation is specifically available only to those whose accounts were accessed during the credential stuffing attacks between June 15 and August 30, 2020.
The eligible Government of Canada online accounts include CRA My Account, My Service Canada Account, and any other federal online account accessed through GCKey.
There is one important exclusion that affected Canadians should be aware of before filing.
Individuals who contacted Murphy Battista LLP about the CRA privacy breach class action with Federal Court file number T-982-20 before June 24, 2021, are classified as “Excluded Persons” and are not eligible for compensation under this settlement.
If KPMG sent you an email notification about the settlement, you are confirmed as eligible to apply for a payment once the claims portal opens.
You can also verify your eligibility right now at the official KPMG settlement portal using your last name, the last three digits of your SIN, and the email address associated with your government account.
CRA Breach Settlement Eligibility At A Glance
| Criteria | Details |
| Class Period | March 1, 2020 to December 31, 2020 |
| Compensation Period | June 15, 2020 to August 30, 2020 |
| Eligible Accounts | CRA My Account, My Service Canada Account, GCKey-linked accounts |
| Total Settlement | $8,760,500.90 |
| Funds For Claimants | Approximately $6 million |
| Accounts Compromised | Over 47,000 |
| Excluded Persons | Those who contacted Murphy Battista LLP before June 24, 2021 |
| Opted Out Before | February 20, 2026 |
| Check Eligibility | breachsettlementcanada.kpmg.ca |
Three Compensation Tiers And How Much You Can Claim
The settlement divides compensation into three distinct tiers based on the severity of the breach and the impact it had on each individual.
Understanding which tier applies to your situation is critical because it determines both the maximum amount you can receive and the documentation you will need to provide.
Tier 1: Access Claims — Up To $80
This tier applies to class members whose account information was accessed by an unauthorized third party but was not used for fraudulent purposes.
Compensation is calculated at $20 per hour for time spent dealing with the aftermath of the breach, up to a maximum of four hours.
Qualifying activities include time spent contacting the CRA, communicating with law enforcement, reaching out to credit agencies, and taking steps to secure your compromised accounts.
Tier 2: Fraud Claims — Up To $200
This tier applies if your personal information was not only accessed but also used for fraudulent activity, such as a fake CERB application filed in your name without your knowledge.
The hourly rate remains $20 per hour, but the maximum number of claimable hours increases to 10 hours, reflecting the additional time required to resolve fraud-related consequences.
This includes time spent correcting incorrect tax slips, disputing unauthorized benefit claims, resolving misdirected payments, and communicating with multiple government departments about the fraudulent activity.
Tier 3: Special Compensation Fund — Up To $5,000
The third tier provides reimbursement for documented out-of-pocket expenses directly related to the breach, covering the most serious financial impacts experienced by affected Canadians.
Eligible expenses include credit monitoring service fees, professional fees related to identity theft recovery, unreimbursed financial losses from fraudulent transactions, and costs associated with obtaining new identification documents.
Supporting documentation such as receipts, bank statements, invoices, and credit agency correspondence will be required for claims under this tier.
The maximum combined payout across all three tiers is $5,280 per person, though actual amounts may be reduced on a pro-rata basis if total claims exceed the approximately $6 million allocated for class member compensation.
CRA Breach Settlement Payout Breakdown
| Claim Type | Hourly Rate | Max Payout | Applies When |
| Access Claim | $20/hour | $80 | Account accessed but no fraud committed |
| Fraud Claim | $20/hour | $200 | Account used for unauthorized benefit claims |
| Special Fund | Receipts required | $5,000 | Documented out-of-pocket expenses from breach |
| Combined Maximum | — | $5,280 | All three tiers claimed together |
Key Dates In The CRA Data Breach Settlement Timeline
The settlement has been years in the making, and understanding the full timeline helps affected Canadians see where the process stands right now.
| Date | Event |
| June–August 2020 | Credential stuffing attacks compromise 47,000+ federal online accounts |
| August 2020 | Todd Sweet launches class action against the Government of Canada |
| August 2022 | Federal Court certifies the class action (Sweet v. Canada, 2022 FC 1228) |
| December 2025 | Government of Canada and class counsel reach settlement agreement |
| February 20, 2026 | Opt-out and objection deadline passes |
| March 31, 2026 | Settlement approval hearing held in Federal Court |
| May 5, 2026 | Federal Court Justice Richard Southcott approves settlement (2026 FC 590) |
| Summer 2026 | KPMG claims the portal is expected to open 60 days after appeal deadline |
| 6 months after portal opens | Filing deadline for all eligible class members |
How To Check Your Eligibility And File A Claim
KPMG is administering the settlement and has set up a dedicated portal where eligible Canadians can verify their status and eventually submit claims.
The claim form has not yet been published as of June 2026, but affected individuals can begin preparing right now by following these steps.
Step 1: Verify Your Eligibility
Visit breachsettlementcanada.kpmg.ca and check whether you are a confirmed class member using your last name, the last three digits of your SIN, and the email address associated with your government online account.
Also check your email inbox and spam folder for any correspondence from KPMG about the settlement, because recipients of that notification are confirmed as eligible.
Step 2: Gather Your Documentation
Start collecting any records that demonstrate how the breach affected you, especially if you plan to file a fraud claim or a special compensation fund claim.
Useful documents include CRA correspondence about unauthorized account changes, records of fraudulent CERB or CESB claims filed in your name, receipts for credit monitoring services, bank statements showing unauthorized transactions, and any communication with law enforcement about identity theft.
Step 3: Monitor The Portal For The Claim Form
Once the 60-day appeal window closes and the claims portal goes live, KPMG will publish the official claim form and send instructions to eligible class members.
The estimated time to complete a standard access claim is 10 to 15 minutes, while fraud and special compensation claims will require more time due to the documentation requirements.
Step 4: Submit Your Claim Before The Deadline
Once the portal opens, you will have six months to complete and submit your claim online through the KPMG website or by phone at 1-833-724-6160.
Filing early is recommended because if total claims exceed the allocated compensation fund, individual payouts may be reduced on a pro-rata basis.
Why Most Claimants Will Not Receive The Full $5,280
Headlines about the settlement often emphasize the $5,000 special compensation fund, but the reality is that most eligible Canadians will receive significantly less than the maximum combined payout.
The $80 access claim is the most common tier because many affected account holders had their information viewed but not used for fraud.
The $200 fraud claim applies only to those who can demonstrate that unauthorized benefit applications were filed using their compromised credentials.
The $5,000 special compensation fund requires detailed receipts and documentation proving direct out-of-pocket expenses, and it is designed for victims who suffered the most severe financial consequences.
Approximately $6 million of the total $8.76 million settlement has been allocated for class member compensation, with the remaining funds covering legal fees, administration costs, taxes, and honoraria for key plaintiffs, including lead plaintiff Todd Sweet.
Class counsel Rice Harbut Elliott LLP received court approval for 33.33% of net settlement proceeds, and any unclaimed funds will be donated to the Privacy and Access Council of Canada for privacy and cybersecurity research.
How To Avoid CRA Settlement Scams
The surge in public interest around the CRA data breach settlement has predictably attracted scammers who are now targeting Canadians with fraudulent messages.
Fake text messages and emails claiming you are eligible for a “CRA data breach payout” are circulating across the country, and they have nothing to do with the legitimate settlement.
Here is how to distinguish the real settlement process from a scam.
The CRA and KPMG will never ask you to pay a fee to release your settlement funds. Any message requesting an upfront payment in exchange for compensation is a scam and should be reported immediately.
All legitimate claims are processed exclusively through the official portal at breachsettlementcanada.kpmg.ca. No other website, phone number, or third-party platform is authorized to accept claims on behalf of this settlement.
The CRA does not randomly contact people offering settlement money through text messages or unsolicited emails. If you receive such a message, delete it and do not click any links or provide personal information.
Canadians concerned about broader fraud should also note that Bill C-12 has introduced expanded enforcement measures to strengthen digital security across federal government systems, and the government continues its Fraud Prevention Month campaign urging Canadians to spot, stop, and report fraudulent activity.
Documents That May Strengthen Your Claim
Being prepared with the right documentation before the claims portal opens will help you file faster and increase the likelihood of receiving the full amount available under your applicable tier.
| Document Type | Purpose |
| CRA notification letters | Confirms unauthorized changes or access to your CRA My Account |
| Fraudulent benefit records | Shows CERB or CESB claims filed in your name without authorization |
| Credit monitoring receipts | Proves out-of-pocket expenses for identity protection services |
| Bank statements | Documents unauthorized transactions or redirected benefit deposits |
| Police report or reference number | Supports fraud claims with official law enforcement documentation |
| Credit agency correspondence | Shows time spent communicating with agencies about compromised credit |
| Professional fee invoices | Documents costs paid for identity theft recovery services |
Keep in mind that access claims ($80 maximum) require only a self-attestation of time spent, while fraud and special compensation claims require the supporting documentation listed above.
Even though the claims portal has not opened yet, there are concrete steps you can take today to be ready when it does.
First, visit breachsettlementcanada.kpmg.ca and verify whether you are a confirmed class member using your last name, SIN digits, and email address.
Second, search your email inbox and spam folder for any messages from KPMG about the Sweet v. His Majesty the King class action page settlement notification.
Third, gather and organize any documentation related to the breach, especially if you experienced fraudulent benefit applications or incurred out-of-pocket costs.
Fourth, make sure your CRA My Account and My Service Canada Account are secured with updated passwords and that your direct deposit information is current and accurate.
Fifth, bookmark the KPMG settlement portal and check it regularly for updates on the claim form release date and filing instructions.
Frequently Asked Questions (FAQs)
When will the CRA breach settlement claims portal open?
The portal is expected to go live in the summer of 2026, approximately 60 days after the appeal deadline on the May 5 approval judgment passes without a challenge, meaning an estimated opening date of late July or August 2026.
How do I check if I am eligible for the CRA data breach settlement?
Visit breachsettlementcanada.kpmg.ca and enter your last name, the last three digits of your SIN, and the email address linked to your government online account to verify your eligibility as a confirmed class member.
How much money can I receive from the CRA breach settlement?
The maximum combined payout is $5,280 per person, broken into three tiers: up to $80 for access claims, up to $200 for fraud claims, and up to $5,000 for documented out-of-pocket expenses through the special compensation fund.
Is the CRA data breach settlement taxable?
Personal damages portions of class action settlements are generally not taxable in Canada, but recipients should monitor for any tax slips issued by KPMG and consult a tax professional for guidance specific to their individual situation.
How do I avoid CRA settlement scams?
Only use the official KPMG portal at breachsettlementcanada.kpmg.ca to check eligibility and file claims, never pay a fee to receive your settlement, and delete any unsolicited text messages or emails claiming you are owed a CRA data breach payout.
Fact-checked: The CRA privacy breach class action settlement was approved by the Federal Court on May 5, 2026. The official KPMG settlement website lists the total settlement amount as $8,760,500.90 and confirms that KPMG is the claims administrator. The claim period is expected to open after the settlement becomes effective and will run for six months once it begins. Actual compensation may be lower than the maximum advertised amount if total approved claims exceed the funds available for class members.
Disclaimer: This article is for general informational purposes only and is not legal, financial, tax, or cybersecurity advice. Settlement eligibility, claim requirements, deadlines, and payout amounts may change based on the final administration process, appeal status, available settlement funds, and decisions made by the claims administrator or the court. Eligible individuals should verify their status and filing instructions only through the official KPMG settlement portal or official settlement communications. Never click suspicious links or pay any fee to receive settlement compensation.
Something went wrong. Please refresh the page and/or try again.
You may also like: New OAS Payment Increase Confirmed For July 2026
New CRA My Account Breach Claims With Up To $5,280 In Payouts
New CRA Benefit Payments For Ontario Residents In June 2026
New Canada Travel Tips For FIFA World Cup 2026