A proposed class-action lawsuit has been launched against the federal government on behalf of Canadians who applied online for COVID-19 emergency aid — only to have their personal and financial information stolen by hackers.
The lawsuit alleges that a series of “failings” by the government and the Canada Revenue Agency (CRA) allowed at least three cyberattacks between mid-March and mid-August, but the public wasn’t alerted until CBC News broke the story on Aug. 15.
The Treasury Board and the CRA held a news briefing to confirm the security breaches Aug. 17.
The proposed class proceeding claims the delayed detection of the hacks caused the number of victims to balloon to at least 14,500.
“The actions of the [CRA] are reprehensible,” states the claim, “and showed a callous disregard for the rights of [victims].”
It alleges the agency’s conduct was “a deliberate … departure from ordinary standards of decent behaviour, and as such merits punishment.”
The CRA has blamed “a vulnerability in security software” for the online breaches, and has said it wasn’t aware of the first cyberattack until Aug. 7.
The agency and the federal government have yet to file a legal response.
CERB, CESB benefits ‘implemented hastily’
Most of the victims of the security breaches were applying for financial assistance under the Canadian Emergency Relief Benefit (CERB) or the Canadian Emergency Student Benefit (CESB).
Both programs pay recipients up to $2,000 a month.
The legal action alleges the CERB and CESB were “implemented hastily,” without adequate security measures.
As a result, it claims hackers were able to steal the personal information of applicants — including social insurance numbers, home addresses, bank account details and tax information — and use the stolen data to impersonate victims, change addresses and direct deposit information and file fraudulent claims under the emergency programs.
The lawsuit alleges the victims have been hit with a double whammy: their aid applications have been frozen while the breaches are investigated, causing financial strain, plus they will have to guard against identity theft for the rest of their lives.
‘Stressed out and anxious’
Three lead plaintiffs in the case, representing all affected Canadians, say they now live in fear their stolen data could be used for years by cyber criminals.
“I’m definitely stressed out and anxious because I don’t know who has my information and I don’t know who can get a copy of my information,” said Ally Scott, who had applied for the student benefit.
“I am only 19 years old. I’m worried that I’m going to have to combat this issue for the rest of my life. And that seems pretty daunting.”
‘Somebody, somewhere has gotten $4,000’
Another plaintiff, a police dispatcher in Windsor, Ont., wasn’t even eligible to receive emergency funds as an essential worker, but had her identity stolen and used to obtain benefits for two months.
“Somebody, somewhere, has gotten $4,000 of payments and I don’t want that to be attached to my social insurance number, because I didn’t apply for it. I don’t qualify,” said Anne Campeau, 52.
Campeau said she felt compelled to step forward and represent herself and other victims.
“I believe [the CRA] dropped the ball when they came to dealing with it,” she said. “Sometimes you just gotta do something like this [proposed lawsuit] to get their attention. It’s not right.”
Compensation sought for all victims
The proposed class proceeding, filed Aug. 24 in Federal Court in Vancouver, blames the government and CRA for negligence and breach of privacy.
If given approval to proceed, the lawsuit will pursue financial compensation for all victims to cover damage to credit ratings, the ongoing cost of credit monitoring and for mental distress, stress and anxiety.
No date has been set for a hearing, and none of the allegations have been proven in court.
Receiving certification for a class-action lawsuit can take months or years.