Desjardins pays CAD 959.7 million after employee leaks information of 9.7 million members

A DEEP DIVE IS NOW AVAILABLE FOR THIS LOSS EVENT

As of 22 February 2023, Desjardins had paid a total of approximately CAD 959.7 million (USD 726.5 million, EUR 643.8 million) in relation to this event following the cost of remediating multiple risk management failures identified by regulators and a class action settlement with impacted customers in December 2021.

On 20 June 2019, it was reported that Desjardins Group had experienced a data breach in which the personal information of 2.9 million members was shared without authorisation outside of the organisation by an employee. It was later reported, on 1 November 2019, that the number of affected customers was 4.2 million, the entirety of Desjardins’ personal banking members. On 12 August 2019, Desjardins announced in its Q2 2019 results that it had spent CAD 70 million in relation to the breach. On 26 February 2020, Desjardins announced in its 2019 fiscal results that it had spent a total of CAD 108 million in relation to the breach.

Desjardins initially said that the breach affected 2.7 million personal members and 173,000 business members, representing more than 40 per cent of the firm’s members. The names, dates of birth, social insurance numbers, addresses, and phone numbers of members were released to people outside the organisation in the data breach. Other details that were shared included information about banking behaviour and about Desjardins products used by customers, the Montreal Gazette reports. For business accounts, business names, addresses and telephone numbers, owner names and names of users of the AccèsD account were exposed. Passwords, security questions and personal identification numbers (PINs) were not compromised, Desjardins said. The firm said the incident was not the result of a cyberattack and its computer systems had not been breached. It also said there had been no spike in fraud cases involving members’ accounts in recent months.

According to CBC, Desjardins identified a suspicious transaction in December 2018 during routine monitoring and referred it to the police in the city of Laval in Québec. It is not clear to ORX when Desjardins became aware that a data breach had occurred: CBC reports that police told Desjardins in May 2019 that the personal information of its members had been leaked, but the Montreal Gazette reports that on 14 June 2019 police confirmed to Desjardins that there had been a leak. The police subsequently conducted an internal investigation together with Desjardins and traced the leak to a “malevolent” act by a single employee who worked in the firm’s data department. Desjardins said its security procedures prevented employees from gaining access to the information of all of its members, and that the employee suspected of leaking the data had allegedly conspired to use his colleagues' data access as well as his own to gather the data which was leaked.

In a message on its website, Desjardins said it had introduced additional monitoring and security measures to protect customer information and notified the Office of the Privacy Commissioner of Canada, the Québec information access commission Commission d’accès à l’information, and the Québec financial regulator Autorité des marchés financiers (AMF). It said it had fired the employee responsible for the leak and boosted its customer identity confirmation procedures. Desjardins said it was carefully monitoring all activity in members’ accounts and communicating directly with members about the breach and any action required. As of 20 June 2019, Desjardins was continuing to work with the police and working with experts to protect its members’ information. The affected members will be notified by letter and through their AccèsD account and will have access to a 12-month credit monitoring plan and identity theft insurance paid for by Desjardins. Desjardins said any financial losses would be reimbursed to customers and specialists would be deployed to guide them through the resolution process. It was unable to estimate the overall financial loss caused by the breach.

As of 20 June 2019, the AMF said it was satisfied with the actions taken by Desjardins to protect its members’ interests and assets. The AMF said that Desjardins had handled the situation with “due rigour, transparency and speed” and that the firm had provided full and complete cooperation to law enforcement authorities.

On 21 June 2019, the Montreal Gazette reported that two class-action suits had been filed against Desjardins over the breach. One of the suits, filed on behalf of a Québec City resident, is seeking compensation of up to CAD 2.9 billion and punitive damages of CAD 290 million. The second action does not specify exactly how much the suit is seeking in compensation, but the plaintiff named in the suit is seeking CAD 300 in punitive damages.

On 15 July 2019, CBC reported that Desjardins would offer free, life-long data protection and in-house services to help address identity theft to all personal and business members, including those unaffected by the data breach. The offer was effective immediately and would automatically cover members.

According to Desjardins, the services include assistance in filing police reports and contacting federal government agencies, and customers that are victims of identity theft in the future will have free access to specialist lawyers and be compensated for losses.

The protection plan includes up to CAD 50,000 for customers who experience identity theft, including loss of salary or fees associated with filing legal documents.

As reported by CBC on 15 July 2019, Desjardins had already offered all those affected by the breach, approximately 40 per cent of its customers, five years of free credit monitoring with Equifax. However, due to high demand, the Equifax website frequently crashed and some customers contacting the company by phone waited for hours on hold. Customers also reported difficulties with getting services in French. As of 15 July 2019, 360,000, or 13 per cent of, affected members had signed up to Equifax.

According to Desjardins, its offer of protection for businesses was “a first in Canada”.

CBC reports that an emergency meeting of the House of Commons public safety and national security committee was scheduled for 15 July 2019, and would investigate whether issuing new social insurance numbers to affected people would be feasible, and ways to prevent future data breaches.

On 12 August 2019, Desjardins announced in its Q2 2019 results that it had paid CAD 70 million in expenses and provisions for the implementation of the credit monitoring plan and the identity theft solution for Desjardins' caisse members.

On 1 November 2019, CBC reported that the number of affected members was larger than previously reported and amounted to 4.2 million. Desjardins said that Quebec’s provincial police force Sûreté du Québec (SQ) had informed it on 31 October 2019 that the number of affected users had grown to 4.2 million “individual members” in Quebec and Ontario. It also said that this number represented the entirety of Dejardins’ personal-banking clientele and that there was no information about whether more business members had been affected.

According to CBC, there was still only one suspect, and no one had been charged as of 1 November 2019. It previously reported, on 19 September 2019, that the SQ had questioned 17 people who had tried to acquire the leaked data.

On 26 February 2020, Desjardins announced in its 2019 financial results that the costs incurred and the establishment of a provision for the implementation of Desjardins Identity Protection, which involves protection, support, reimbursement and monitoring, totalled CAD 108 million for the fiscal year ended 31 December 2019.

On 14 December 2020, the Commission d’accès à l’information (CAI) noted that Desjardins had allocated the DSO a budget of CAD 150 million in 2020, and Desjardins further announced that for 2020 it had invested CAD 150 million in fraud prevention and security measures related to the Desjardins Identity Protection Plan.

After Desjardins publicly announced the data breach on 20 June 2019, certain impacted customers filed a class action lawsuit against the firm. On 16 December 2021, Desjardins agreed to pay CAD 200,852,500 to settle the class action.

In its 2021 annual report, Desjardins highlighted that the year had seen it invest over CAD 350 million in several projects stemming from its data security investment plan, which was CAD 100 million more than it initially aimed for in 2020.

Furthermore, in its 2022 annual report, Desjardins said that it had invested CAD 845,000 in Canada’s Digital Identity Laboratory (IDLab), a non-profit with which it was collaborating to develop digital identity platforms and systems to be used nationwide.

UPDATES

15 July 2019: Desjardins offers free, life-long data protection services to personal and business members. Paragraphs 7–12 added. Cause Inadequate Policy/Procedure removed and Unauthorised Activity added.

12 August 2019: Desjardins announces expenses and provisions of CAD 70 million in relation to the breach. Loss Amount changed from Not Identifiable to CAD 70,000,000. Headline and paragraph 1 amended. Paragraph 13 added.

1 November 2019: Number of affected customers increases from 2.7 million to 4.2 million. Headline and paragraphs 1 and 2 amended. Paragraphs 14 and 15 added.

26 February 2020: Desjardins announces expenses and provisions of CAD 108 million in relation to the breach. Loss Amount changed from CAD 70,000,000 to 108,000,000. Headline and paragraph 1 amended. Paragraph 16 added.

22 February 2023: Details of previous settlements and remediation costs added. Loss Amount increased from CAD 108,000,000 to CAD 959,697,500. Date of Occurrence From changed from Not Identifiable to 1 March 2017. Date of Occurrence To changed from Not Identifiable to 22 May 2019. Date of Recognition/Settlement changed from Not Identifiable to 16 December 2021. Date of Discovery changed from Not Identifiable to 22 May 2019. Counterparty/Claimant changed from Not Identifiable to LS0207 Individual – Retail. Alleged Causes CS0304 Organisational Controls and CS0403 Inadequate Policy/Procedure added. Headline and paragraph 1 amended. Paragraphs 18 to 21 added.