Desjardins Settles for $201 Million Over Breach That Exceeded 100% of Their Customer Base

The Desjardins data breach has reached at least one conclusion. The company has settled a class action for $201 million.

We often talk about how there are few avenues for recourse in Canadian law when it comes to having your personal information compromised. For one, the various privacy commissioners are reduced down to having to send out strongly worded letters. For another, when it comes to monetary penalties, that really only comes in the form of litigation. That puts a huge burden on the victims of a breach or leak because they have to show the court that they suffered damages as a result of that leak or breach from that specific company. In a lot of cases, that can be rather difficult to prove – especially when companies have an incentive not to come forward and admit their information was compromised.

Of course, not a lot of breaches or leaks in a Canadian company comes close to what happened to Desjardins. The circumstances of that breach really was at another level.

Desjardins is a Quebec based insurance company. In June of 2019, we learned that the company suffered from a data breach. In all, 2.7 million customers were compromised. In this case, it was an insider job where an employee basically exfiltrated the customers personal information. That, of course, raises a security red flag because, how is it that one person could have access to so many people’s files like that? It really suggests that security standards were not exactly the worlds greatest from the start.

Of course, for many people who follow security news, an all too familiar pattern is that a data breach ends up being worse than initially reported. Naturally, this story was no exception to that trend. By November, it was learned that the breach affected 4.2 million customers. While that is not necessarily a small number, the fact is that this accounts for the companies entire customer base. Legally speaking, it makes it easier to show a court that you were affected by a breach. If you were a customer of Desjardins in 2019, your information is compromised. That burden of proof becomes smaller.

Meanwhile, the Quebec government was reluctant to look into the breach in the first place. As the details just kept getting worse and worse, they begrudgingly decided to investigate with a nice light touch approach. That, of course, suggests that the government has a pretty cozy relationship with the company. Unsurprisingly, the provincial government response was met with controversy.

By December, the fallout seemed to just keep going. Two executives were fired: specifically the Head of IT and the COO. At this point, things are going critically bad for the company. With lawsuits being filed, it seemed like the story would simply go to the courts and assessing the damage was the only way this story was going to go.

It didn’t.

It was at that point that the story somehow managed to get even worse. To do so, the company had to basically exceed having more than 100% of the customer base compromised. How is that mathematically possible? Well, that’s what we found ourselves asking when we found out that an additional 2 million accounts were compromised – exceeding 100% of the customer base. As it turns out, the employee had access to other sets of data being held at the company. That got exfiltrated too. As a result, more than 100% of the customer base was stolen. Suffice to say, things got so bad for the company, it reached the height of absurdity.

Recently, we caught wind of a development in the story. As it turns out, the company has settled the class action for $201 million. From the CBC:

Financial services firm Desjardins Group will pay up to nearly $201 million to settle a class-action lawsuit related to a data breach in 2019 that affected close to 9.7 million Canadians.

The agreement, which is subject to approval by the Quebec Superior Court, would allow eligible individuals who were affected by the privacy breach that came to light in June 2019 to receive a payment.

The settlement applies to members and former members as well as clients and former clients of the financial co-operative who have held Desjardins credit cards or financing products.

Desjardins says there’s no need for people to contact them before the agreement is approved and a claims process begins.

Plaintiff law firms Siskinds Desmeules and Kugler Kandestin say the agreement provides compensation for loss of time related to the personal information breach, as well as compensation for identity theft.

Details of the settlement are available at www.desjardinssettlement.com or by calling 1-888-886-7164.

For those wondering, it’s not a small amount. According to a 2020 annual report, that would account for almost 10% of the total profit the company brought in for a year. So, not exactly a massive loss for the company, but not necessarily a minuscule amount either. It can easily be debated whether or not the settlement would actually be enough to sting such a company.

In 2020, the Office of the Privacy Commissioner published their findings of an investigation they launched:

Overview

1. On May 27, 2019, the Fédération des caisses Desjardins du Québec (“Desjardins”) notified the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) of a breach of security safeguards that ultimately affected close to 9.7 million individuals in Canada and abroad. The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. The number of individuals affected includes individuals whose personal information a malicious employee was able to access and/or exfiltrate.
2. Desjardins also informed Quebec’s Commission de l’accès à l’information (the “CAI”) and other regulators of the fact that there were individuals within their jurisdictions that were affected by the incident.
3. The OPC and the CAI launched investigations into this matter. To coordinate their efforts, the two Offices signed a collaboration arrangement on July 25, 2019.
4. Desjardins concluded that the breach had been committed by one of its employees, who had been exfiltrating personal information over a period of at least 26 months. This raises the question as to whether Desjardins’ security safeguards were appropriate and whether it met accountability requirements with respect to the personal information entrusted to it. Given the age of some of the information compromised in the incident, the OPC also reviewed Desjardins’ data destruction practices.
5. Our investigation concluded that Desjardins contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”)’s principles with regard to accountability, retention periods, and security safeguards. This report contains recommendations to Desjardins to address the contraventions found.

That basically was the strongly worded letter from regulators. What’s more is that this is more or less the extent of what punishment the office can doll out. They could issue another strongly worded letter, but that’s pretty much it. Legally, they can’t hand out fines of any kind (which makes Canada a fairly unique country in that regard which is quite embarrassing). So, the company got a good finger wagging and got told “don’t do that again.” As a result, it wound up being one of many reasons why Canada badly needs privacy reform. It basically got added to the pile as the federal government continued to drag its feet on that file ever since.

We’ll check in from time to time to see if there is any more updates to this story. Otherwise, it looks like this story might finally be starting to wind down.

Drew Wilson on Twitter: @icecube85 and Facebook.



1 Trackback or Pingback

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: