If you received a letter about a CRA settlement, you’re not alone — and you’re not in trouble. The Sweet v HMK class action involves tens of thousands of Canadians whose tax accounts were accessed without authorization in 2020. A proposed settlement is now before the Federal Court, with an approval hearing scheduled for March 31, 2026 at 9:30 a.m. PST. Here’s what that means for you.

4 related posts

Breach Year: 2020 ·
Settlement Admin Site: breachsettlementcanada.kpmg.ca ·
Access Claims Max: $80 ·
Non-Fraud Access Payout: $20 ·
Approval Hearing: March 31, 2026

Quick snapshot

1Confirmed facts
2What’s unclear
  • Exact total settlement fund not disclosed
  • Number of claims filed unknown
  • Post-approval payout timeline uncertain
3Timeline signal
  • August 2020: Government response to attacks
  • August 25, 2022: Federal Court certified class action
  • March 31, 2026: Approval hearing
4What’s next
  • File claim at breachsettlementcanada.kpmg.ca
  • Attend or monitor approval hearing outcome
  • Receive compensation if approved

Key details about the settlement are summarized in the table below.

Fact Detail
Lawsuit Name Sweet v HMK Class-Action Suit
Federal Court File T-980-20
Administered By KPMG
Official Notice canada.ca
Breach Scope Unauthorized account access 2020
Approval Hearing March 31, 2026

What is the class action lawsuit against the Canadian government?

Sweet v His Majesty the King (Federal Court File No. T-980-20) is a certified class action alleging the Government of Canada failed to safeguard personal and financial information in online portals. The lawsuit claims this negligence allowed unauthorized access to taxpayer accounts and enabled fraud — including fraudulent CERB applications worth thousands of dollars each.

The attacks targeted two Government of Canada services during summer 2020: the GCKey credential system and the CRA My Account portal. Hackers used credential stuffing — automated tools that try username/password combinations stolen from other breaches — to access accounts en masse.

Sweet v HMK details

Todd Sweet, a British Columbia resident, was certified as the representative plaintiff. The Federal Court ruled in August 2022 that a class action was the appropriate mechanism because the CRA had offered no alternative procedure. Class counsel is Rice Harbut Elliott LLP, which seeks 33.33% of net settlement proceeds plus disbursements and taxes.

2020 privacy breach overview

According to data analyzed by tax law experts, 48,110 CRA My Accounts were impacted by unauthorized credential use in summer 2020, with 12,700 showing clear fraud evidence. Additionally, 5,957 Employment and Social Development Canada accounts were potentially impacted, including 3,200 My Service Canada Accounts used to access CRA systems. Approximately 1,200 compromised accounts were used to apply for CERB or other COVID-19 benefits.

The implication

Class actions against the Canadian government are rare. This case stands alongside landmark settlements like the Residential Schools settlement (2006) and the $23 billion First Nations child welfare agreement — though individual payouts here are far smaller.

Why did I receive a notice of class action settlement?

If you received a notice, it means KPMG — the appointed claims administrator — identified you as a potential class member. The email or letter alerts recipients that a proposed settlement has been reached and that they may be eligible to file a claim for compensation.

Class membership is defined broadly: anyone whose personal information in Government of Canada online accounts (CRA My Account, My Service Canada Account, or GCKey) was disclosed without authorization between March 1 and December 31, 2020 qualifies. This includes people who never noticed any suspicious activity on their accounts.

Notice meaning

The notice is not a bill, a penalty, or an accusation. It’s a formal communication required by court rules to inform potential class members of their rights. The Government of Canada denies any wrongdoing, as stated on the official settlement website, but agreed to settle to avoid further litigation costs.

Eligibility indicators

You are likely eligible if you: had a CRA My Account or GCKey account during 2020, received an email from KPMG about the settlement, noticed suspicious login activity, or had your CRA account used to apply for benefits you didn’t request. Note that only victims of the credential stuffing attacks between June 15 and August 30, 2020 are eligible for actual payments.

What to watch

Excluded Persons — those who contacted Murphy Battista LLP about related CRA breach case T-982-20 before June 24, 2021 — are still technically class members but face additional procedural considerations.

What Is A Class Action Lawsuit Settlement Notice?

A settlement notice informs class members that the parties have reached a proposed agreement. Unlike a court judgment, this settlement is not yet final — it requires approval from a Federal Court judge before it becomes binding on all class members.

The notice explains the compensation structure, how to file a claim, and key dates. It also states that class members can object to the settlement or opt out entirely, though opt-out information is available on the Government of Canada website.

Settlement approval process

The Federal Court will hold an approval hearing on March 31, 2026 in Vancouver (and via Microsoft Teams). At this hearing, the judge will examine whether the settlement is fair, reasonable, and in the best interests of class members. The court will also review counsel fees — Rice Harbut Elliott LLP seeks 33.33% of net proceeds — and administrative costs.

Next steps after notice

After receiving notice: visit breachsettlementcanada.kpmg.ca to confirm your eligibility, gather documentation (such as records of time spent addressing breach-related issues), file your claim by the deadline, and monitor the website for updates on the approval hearing. Claims will only be processed after court approval.

How much do People Typically Get in a Class Action Lawsuit?

Compensation in this settlement is tiered based on the type of harm experienced. The structure is designed to reimburse class members for time spent addressing problems caused by the breach, not to punish the government.

CRA settlement payouts

Access Claims pay $20 per hour for up to 4 hours of time spent addressing the breach — a maximum of $80 per person. This applies to class members whose accounts were accessed but not used for fraud. Fraud Claims pay $20 per hour for up to 10 hours — a maximum of $200 — for those whose accounts were used to apply for CERB or other benefits fraudulently.

Access vs fraud claims

The key distinction is whether someone filed a fraudulent benefit application using your account. If hackers accessed your CRA My Account and filed a CERB claim in your name, you’d document the time spent dealing with that fraud — resolving incorrect tax slips, correcting records, communicating with the CRA. If no fraud occurred, you file an access claim for the simpler $80 maximum.

The catch

Early reports mentioned potential claims up to $5,000, but the actual settlement tiers max at $200. Do not expect large payouts — this is reimbursement for time, not compensation for damages.

What Is A Settlement Agreement?

A settlement agreement is a compromise between the parties. The Government of Canada agrees to fund a settlement pool and the plaintiffs agree to drop their claims in exchange. Neither side admits fault. The agreement outlines who qualifies, how compensation is calculated, and how claims are processed.

The Sweet v HMK settlement applies Canada-wide, meaning class members from any province or territory are included. KPMG administers claims centrally, and payments will be distributed after court approval.

CRA proposal terms

The proposed settlement sets fixed hourly rates ($20/hour) with caps based on claim type. Class counsel fees, administrative costs, and honoraria for the representative plaintiffs ($5,000 for Todd Sweet, $1,500 each for Anne Campeau and Tanis Seminoff) are deducted from the settlement fund before individual payments are calculated.

Claim filing process

Claims are filed through the KPMG portal at breachsettlementcanada.kpmg.ca. You’ll need to attest to the time spent addressing breach-related issues and provide any supporting documentation. KPMG verifies eligibility and processes payments after the court approves the settlement.

Bottom line: Class members who file approved claims receive modest reimbursement — up to $80 for access claims, $200 for fraud claims. Canadian taxpayers affected by the breach must act before deadlines and monitor the March 2026 hearing to claim their payments.

Timeline of events

Eight key dates explain how this case unfolded from breach to settlement.

Date Event
March 1, 2020 Data breach class period begins
June 15 – August 30, 2020 Credential stuffing attacks; 48,110 CRA accounts impacted
June 2020 Government of Canada responds to attacks
December 31, 2020 Data breach class period ends
August 25, 2022 Federal Court certifies class action (2022 FC 1228)
March 2026 Proposed settlement reached
March 31, 2026 Approval hearing at 9:30 a.m. PST in Vancouver Federal Court
Post-approval Claims processed and payments distributed

What this timeline shows is a slow process: nearly five years from breach to settlement proposal, with another court hearing needed before anyone sees a payment. Class members should expect waits.

What we know and what we don’t

Transparency matters. Here’s what the evidence confirms — and where uncertainty remains.

Confirmed facts

  • A data breach occurred in 2020 affecting tens of thousands of CRA accounts
  • The Sweet v HMK class action was certified by the Federal Court in August 2022
  • A proposed settlement was reached in October 2025
  • KPMG is the claims administrator at breachsettlementcanada.kpmg.ca
  • Only victims of credential stuffing attacks between June 15 and August 30, 2020 are eligible for payments

What’s unclear

  • The exact total settlement fund amount has not been publicly disclosed
  • The number of class members who will actually file claims is unknown
  • Individual payout amounts depend on total claims filed — your share could be less than the maximum
  • How quickly payments will be distributed after court approval has not been specified

The balance here tilts toward confirmed facts because most key data — file numbers, dates, compensation rates — comes from tier-1 government sources. Uncertainty clusters around the unknown total fund and final payment timing.

What people are saying

The Government of Canada denies any wrongdoing.

— Government of Canada (KPMG Breach Settlement Canada, official settlement administrator)

Inadequate safeguards allowed bad actors to access the online accounts of Canadians without their consent.

— Todd Sweet (representative plaintiff, via Daily Hive)

The CRA had offered no alternative to the class action mechanism.

— Federal Court of Canada (TaxPage legal analysis)

For Canadian taxpayers caught in the breach, the bottom line is straightforward: check your eligibility at breachsettlementcanada.kpmg.ca, file your claim before the deadline, and watch the March 31, 2026 hearing for the outcome. Compensation will be modest — but it’s yours to claim if you act.

Related reading: Canada Life Sign In: Guide to All Account Portals · Wealth One Bank of Canada: Legit, Safe, GICs & Reviews

Additional sources

topclassactions.com, canada.ca, knowledgebureau.com, canada.ca

Prospective CRA claimants can reference the Google $135M privacy settlement for insights into similar privacy breach eligibility and payout processes ahead of 2026 approvals.

Don't miss these

Frequently asked questions

What is the CRA privacy breach class action?

Sweet v His Majesty the King (File T-980-20) is a certified class action against the Government of Canada for failing to prevent unauthorized access to CRA My Account and GCKey portals in 2020. The proposed settlement offers tiered compensation to affected Canadians.

How do I check eligibility for CRA settlement?

Visit breachsettlementcanada.kpmg.ca and enter your information. Eligibility generally requires that your Government of Canada online account (CRA, MSCA, or GCKey) was subject to unauthorized access between March 1 and December 31, 2020, with actual payment eligibility tied to attacks between June 15 and August 30, 2020.

When is the CRA settlement approval hearing?

The approval hearing is scheduled for March 31, 2026 at 9:30 a.m. PST at the Vancouver Federal Court and via Microsoft Teams. The public can attend in person or remotely to observe the proceedings.

What documents are needed for CRA claims?

You’ll need to document the time spent addressing breach-related issues. For access claims, this means time spent monitoring accounts, changing passwords, or contacting the CRA. For fraud claims involving fraudulent CERB or benefit applications, document time spent resolving incorrect tax slips, correcting records, and communicating with government agencies.

Is there a deadline to file CRA settlement claims?

Claims cannot be filed until after court approval of the settlement. Monitor breachsettlementcanada.kpmg.ca for claim deadlines, which will be posted after the March 31, 2026 hearing if the settlement is approved.

Does CRA settlement affect taxes?

Compensation under this settlement is for reimbursement of time spent addressing the breach — it is not income in the traditional sense. However, tax treatment of settlement payments can vary. Consult a tax professional if you receive a significant payment for guidance specific to your situation.

What if my CRA account was used fraudulently?

If hackers used your CRA account to apply for CERB or other benefits fraudulently, you should file a Fraud Claim rather than an Access Claim. Fraud Claims pay $20/hour for up to 10 hours (maximum $200). Document all time spent resolving the fraud, including communications with the CRA, Service Canada, and any other affected agencies.