Class Action Lawsuit Proposed Against the CRA Over Compromised Accounts

A class action lawsuit is being proposed against the Canada Revenue Agency (CRA). This in response to thousands of accounts being compromised.

Last month, we reported on how thousands of accounts being compromised at the Canada Revenue Agency. A number of accounts were compromised thanks to credential stuffing, the act of using compromised third party login details to access accounts on other services. Apparently, malicious third parties were accessing Canadian’s accounts, requesting COVID-19 relief funds and redirecting them to bank accounts they operate.

Now, a class action lawsuit is being proposed against the CRA. From the CBC:

A proposed class-action lawsuit has been launched against the federal government on behalf of Canadians who applied online for COVID-19 emergency aid — only to have their personal and financial information stolen by hackers.

The lawsuit alleges that a series of “failings” by the government and the Canada Revenue Agency (CRA) allowed at least three cyberattacks between mid-March and mid-August, but the public wasn’t alerted until CBC News broke the story on Aug. 15.

The Treasury Board and the CRA held a news briefing to confirm the security breaches Aug. 17.

The proposed class proceeding claims the delayed detection of the hacks caused the number of victims to balloon to at least 14,500.

“The actions of the [CRA] are reprehensible,” states the claim, “and showed a callous disregard for the rights of [victims].”

It alleges the agency’s conduct was “a deliberate … departure from ordinary standards of decent behaviour, and as such merits punishment.”

Of course, the difficulty here is that the users who’s information was compromised thanks to credential stuffing may have themselves to blame here. If they reused their own password, how is the CRA supposed to police that? At best, the CRA can place a notice saying that the password shouldn’t be used elsewhere. Beyond that, it’s hard to imagine what else the CRA can do otherwise.

It’s worth pointing out that a portion of the accounts were compromised thanks to credential stuffing. Not all of them were blamed for that. As the CRA pointed out, 5,500 GCKeys were acquired through credential stuffing. In all, 9,041 accounts were compromised. So, what of the then named 3,541? Another interesting aspect is that the lawsuit names 14,500. That increases the estimate by 5,459. The question is, are these accounts compromised and went undetected by the CRA, accounts that weren’t actually affected, or a combination of both? There’s also the possibility that the number has gone up since the original estimate too.

Since time is one of the core arguments being used in this lawsuit, this could answer an interesting question: what constitutes an unreasonable delay? Is two days too long? What about 1 day or a week? How about a hack going undetected by the CRA? What is reasonable measures to discover something? Then there’s the question about how reports of compromised information being reported by victims. If the CRA is told about someone being compromised, at what point is it reasonable to trigger a system-wide investigation into whether or not a hack is taking place?

There really could be some interesting legal questions that could be answered thanks to this particular lawsuit should it be approved.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: