CRA Faces Class Action Over Alleged Breaches That May Affect 60,000 Taxpayers

35,000+ smart investors are already getting financial news, market signals, and macro shifts in the economy that could impact their money next with our FREE weekly newsletter. Get ahead of what the crowd finds out too late. Click Here to Subscribe for FREE.

A tax account is supposed to be one of the safest places in a citizen’s digital life. A newly filed case in Quebec argues that, for tens of thousands of Canadians, it may instead have become a doorway to financial disruption, frozen benefits and months of uncertainty.

The proposed class action targets the Attorney General of Canada on behalf of the Canada Revenue Agency and Employment and Social Development Canada, alleging that personal information was accessed or changed without consent. Lawyers behind the case say nearly 60,000 taxpayers may be affected. None of the allegations has been proven, and the case must first be authorized by the Superior Court of Quebec. Even at this early stage, the filing places renewed pressure on Ottawa to explain how taxpayer information was protected, how victims were assisted and whether security reforms arrived quickly enough.

A New National Claim Lands in Quebec

The application for authorization was announced on June 15, 2026, after being filed in Quebec Superior Court. It seeks to represent people across Canada whose personal information held by the CRA or Employment and Social Development Canada was allegedly accessed or modified without consent on or after January 1, 2021. The Attorney General of Canada is named on behalf of the two federal bodies. The proposed national scope is significant because the claim is not limited to one cyberattack, login system or province.

The filing is only the first legal step. In Quebec, a proposed representative must obtain authorization before a class action can proceed. The court considers whether the case raises serious common issues, whether multiple people appear to have experienced a similar problem and whether the proposed representatives can adequately act for the group. Authorization would not prove that the government is liable. It would permit the case to proceed for a group defined by the court. Until then, the allegations remain untested, and the federal government can challenge both the proposed class and the claims against it.

Two Women Put Human Faces on a Digital Failure

The case is built around the experiences of two Quebec women. One proposed representative, identified as Ms. Corbin, alleges that she discovered in 2025 that someone had filed a fraudulent income tax return in her name. The proceeding says fraudsters allegedly sought almost $30,000 in refunds while increasing her reported income by more than $130,000. Because income is used to calculate income-tested benefits, she says her Canada Child Benefit payments were sharply reduced. The result, according to the filing, was nearly $8,000 in lost family benefits and the loss of access to certain public services linked to income.

The second woman, Ms. Jacques, was reportedly on medical leave when she attempted to claim Employment Insurance. She allegedly learned that her identity had been used to file a fraudulent return roughly two years earlier and that her account had been blocked. The application says she then waited several months for her first EI payment. These experiences illustrate why manipulated tax records can cause more damage than a stolen password alone. A false return can change the government’s official picture of someone’s income, interrupt benefits needed for rent or groceries and force the victim to spend months proving that information appearing in an official system is not accurate.

Why the “Nearly 60,000” Estimate Needs Context

Lawyers for the proposed class say nearly 60,000 taxpayers may be affected, but that figure should not be treated as a court-confirmed class size. The Privacy Commissioner’s May 2026 special report said the CRA had submitted six quarterly reports covering 42,755 confirmed individual breaches. An earlier CRA disclosure described 31,393 cases of unauthorized use of taxpayer information spanning May 2020 to November 2023. Public discussion in 2024 also referred to approximately 62,000 taxpayers affected by more than 31,000 material breaches.

Those figures come from different reporting periods and are not necessarily measurements of the same group. The proposed class begins on January 1, 2021, while some federal breach totals include incidents from 2020. The lawsuit also covers information held by the CRA or Employment and Social Development Canada, while the Commissioner’s latest investigation concentrated on the CRA. A reported breach may represent an individual incident rather than a unique taxpayer. The “nearly 60,000” number is therefore best understood as an estimate advanced by the plaintiffs. Should the case be authorized, the court’s order would determine the actual description of the group covered by the litigation.

The Privacy Commissioner Found Gaps Beyond One Login Screen

The proposed case arrives shortly after a major federal privacy finding. In May 2026, the Privacy Commissioner concluded that the CRA had contravened provisions of the Privacy Act concerning the accuracy and unauthorized disclosure of personal information. Attackers had accessed or changed taxpayer data to redirect government payments, file fraudulent benefit requests or pursue other financial gains. The CRA could not provide complete details for every confirmed incident because of limitations in its tracking systems, the volume of breaches and the resources that would have been required to reconstruct every case.

The investigation identified shortcomings in prevention, monitoring, detection, remediation and governance. Mandatory multi-factor authentication was not introduced until October 2021, and the Commissioner found that the agency did not always rely on the strongest available methods. Many incidents were brought to the CRA’s attention by taxpayers, while the agency could not consistently explain how attackers had bypassed authentication. The CRA also generally conducted detailed root-cause analysis for complex fraud schemes rather than for every individual breach, limiting its ability to learn from smaller incidents. The Commissioner issued nine recommendations. The CRA accepted eight fully and one partially, leading the complaint to be classified as well-founded and conditionally resolved.

The Damages Claim Could Be Large, but No Payout Is Guaranteed

The plaintiffs are seeking $15,000 in compensatory damages and $5,000 in punitive damages. When combined with a proposed group numbering in the tens of thousands, the amounts suggest potentially significant financial exposure. However, the requested damages are not an approved payment schedule. They represent what the plaintiffs are asking the court to award, and no taxpayer should assume that compensation has already been authorized or that every proposed member would receive an identical amount.

Several legal stages would have to occur first. The Superior Court would need to authorize the action, define the class and identify the common questions to be decided. The plaintiffs would then have to prove their allegations at trial or negotiate a settlement that receives court approval. Questions of causation could become especially important because the Privacy Commissioner found that attackers sometimes relied on credentials or personal information obtained through phishing, external data breaches or other third-party sources. The court may also have to distinguish between unauthorized access, unauthorized changes and incidents that caused measurable financial harm. For affected taxpayers, the size of any eventual recovery would depend on what the evidence establishes rather than the headline amount requested in the initial proceeding.

CRA Has Tightened Controls, but Trust Will Be Harder to Repair

The CRA has introduced several security changes since the earliest incidents. Mandatory multi-factor authentication arrived in 2021 and was later expanded through authenticator applications, passcode grids and one-time codes. In March 2025, the agency stopped accepting direct-deposit registrations or changes by telephone and through EFILE, removing routes that could potentially be used to divert payments. One-time-code authentication was added to certain telephone interactions in 2025 and expanded in 2026. The agency has also started prompting account holders to register a backup authentication method.

The CRA reported that it proactively revoked more than 50,000 user IDs and passwords in 2025 after determining that the credentials might be available to threat actors. Those changes may support the government’s position that its security practices have continued to evolve, but they do not erase the experience of people who say they spent months without benefits or access to accurate records. Taxpayers can reduce their exposure by regularly checking addresses, direct-deposit details, authorized representatives, returns and benefit applications in their CRA accounts. Unexpected changes, unfamiliar filings or unexplained payment delays should be reported directly to the agency. The question now raised by the lawsuit is whether the protections and assistance available during the relevant period were adequate, timely and consistently delivered.

This Options Discord Chat is The Real Deal

While the internet is scoured with trading chat rooms, many of which even charge upwards of thousands of dollars to join, this smaller options trading discord chatroom is the real deal and actually providing valuable trade setups, education, and community without the noise and spam of the larger more expensive rooms. With a incredibly low-cost monthly fee, Options Trading Club (click here to see their reviews) requires an application to join ensuring that every member is dedicated and serious about taking their trading to the next level. If you are looking for a change in your trading strategies, then click here to apply for a membership.