Desjardins Proposes $155m Data Breach Settlement

Canadian financial services cooperative Desjardins Group is prepared to pay $155m to settle a class-action lawsuit filed over a long-running data breach.

Desjardins, which is Canada’s largest credit union and one of the world’s largest banks, announced on June 20, 2019, that a data breach had occurred.

A joint investigation into the security incident, launched in July 2019 by the Office of the Privacy Commissioner of Canada and its local equivalent in Quebec, found that a “malicious” Desjardins employee had siphoned data.

For at least 26 months, the personal information of nearly 10 million individuals was exfiltrated from Desjardins. Data compromised in the incident included names, dates of birth, residential addresses, social insurance numbers, email addresses, telephone numbers and transaction histories.

Individuals impacted by the breach included current and former Desjardins banking members and current and former clients with a credit card or in-store financing.

“Such data elements can be considered sensitive on their own,” concluded the agencies. “When combined, they can also be exploited by malicious individuals to steal the identities of the persons concerned.”

Plaintiffs represented by law firms Siskinds Desmeules and Kugler Kandestin filed class actions in connection with the privacy breach. 

On December 16, Desjardins announced that a settlement agreement had been submitted to the Superior Court of Quebec for approval. Should the court approve the settlement, eligible individuals will be informed through messages in AccèsD or mail and notices placed in Canadian national newspapers.

Under the terms of the settlement, a maximum amount of C$200,852,500 may be paid out as individual recovery to eligible individuals who file a claim. 

Canadian residents who were impacted by the data breach can claim up to $90. Those whose identity was stolen after January 1 2017, are permitted to claim up to $1,000.

“The settlement agreement is intended to resolve any claim regarding the breach of personal information by obtaining compensation for members of the proposed class actions and providing a release on their behalf to Desjardins,” stated a spokesperson for Desjardins.

What’s Hot on Infosecurity Magazine?