Desjardins Group Breach Cost $38m Higher Than Expected

Last year's data breach at the Desjardins Group will cost the co-operative far more than initially anticipated. 

Original estimates by the Quebec-based financial institution set the cost of recovering from the breach at $70m. The co-operative has now said that the final breach bill is likely to be $108m. 

The data breach was intentionally carried out by a malicious employee who had access to banking details such as loans and savings. As a result of their actions, the data of 4.2 million customers who bank with Desjardins in Quebec and Ontario was exposed. 

Six months after the breach was announced, the incident was found to have also affected 1.8 million credit card holders who were not Desjardins members. The employee at the center of the breach has since been fired. 

News of the breach came to light in June last year. From July onward, Desjardins introduced identity protection for all members who bank with the co-operative in Quebec and Ontario, free of charge.

In November, Desjardins issued an online statement that implied that data exposed in the breach had not been misused. 

The statement said: "Desjardins would like to remind its members that there was no spike in fraud cases, either before or after the privacy breach was announced on June 20."

While the repair bill does not make suitable reading material for the faint-hearted, Desjardins president and chief executive officer Guy Cormier said that the financial impact of the breach represents less than 1% of the $18bn in revenue the institution earned in 2019.

According to Cormier, Desjardins has "ample capacity" to absorb the cost of the breach into its everyday operations.

Driving up the cost of recovery is the package of compensation measures Desjardins offered its members in the wake of the breach. Included in the package was five years of free credit monitoring from Equifax, which suffered its own catastrophic data breach in 2017 in which personal data of almost half the population of the United States of America was exposed.

Cormier said that no further increase in costs related to the data breach is expected. 

What’s Hot on Infosecurity Magazine?