The theft of 9.7 million active and inactive records of individuals with accounts at Desjardins Group credit union branches by an employee could cost the company just over $200 million to settle a class-action lawsuit from victims.
Desjardins said this week that a proposed settlement agreement was concluded between it and the claimants represented by two law firms over the privacy breach. The settlement still has to be approved by the Superior Court of Quebec.
If finalized the funds be paid to eligible individuals who file a claim. They include current and former Desjardins banking members, current and former clients with a credit card or in-store financing, and anyone who received a letter informing them of the situation.
Two types of claim come under the settlement agreement:
- those impacted can claim up to $90;
- those whose identity was stolen after January 1, 2017 can claim up to $1,000.
Discovered in June 2019 by a police department, the data breach involved people with accounts largely in Quebec and Ontario, and some abroad.
An investigation by the federal and Quebec privacy commissioners said Desjardins “did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
Data copied by an unnamed staffer in the marketing department onto a USB stick and allegedly sold to a private lender included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.
No one has been charged with a criminal offence.
While Desjardins “invested a significant portion of its overall information security budget to fight against external threats,” the commissioners said, “in our view, the absence of a culture of vigilance against internal threats significantly contributed to the breach.”
Almost half of the stolen data — 4 million files — involved people whose banking or credit card accounts had expired and shouldn’t have been kept by Desjardins. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), federally regulated firms — including financial institutions — can only retain personal information needed for commercial reasons.
This information was stored in two data warehouses to which the malicious employee had limited access: the credit data warehouse and the banking data warehouse. Access to the banking data warehouse was segmented according to whether the information was confidential (which included personal information) or non-confidential. But the credit data warehouse wasn’t segmented, and employees with the necessary authorizations could access all of the data, including personal information.