What you need to know about the Desjardins data breach

Warnings of fraud, possible lawsuit after financial institution says members' info leaked

The data breach at Desjardins Group is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 2.7 million people and 173,000 businesses.

Now, in its aftermath, there’s a warning about fraudulent emails, and a class-action lawsuit is in the works. 

Here’s a breakdown of what went wrong and what’s happening now.

What happened

Officials at Desjardins revealed Thursday an employee improperly collected information about customers and shared it with a third party outside the financial institution, which is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. Passwords, security questions and personal identification numbers weren’t compromised, according to Desjardins.

The employee, a man who has not been publicly identified, was fired. He was arrested by Laval police but has not been charged.

What are the risks?

Desjardins said it has not seen a spike in fraud cases since the breach.

But important questions remain, says one Montreal-based security expert.

“The first thing we need to find out is where is the information — that wasn’t answered yesterday,” said Claude Sarrazin, who has been watching the case closely. “Who has control over that information?”

Desjardins flagged a suspicious transaction to Laval police last December, and it took several months for the institution to learn the scope of the scheme.

François Dumais, left, an inspector with Laval police, took part in Thursday’s news conference. The police service assisted with an investigation at Desjardins. (Ivanoh Demers/Radio Canada)

In May, police told Desjardins that the personal information of some of its members had been leaked. An internal investigation was then conducted with the help of Laval police.

What Desjardins is doing

Desjardins said extra security measures have been put in place to protect data, such as requiring additional steps to confirm a member’s identity. It is also contacting every member affected by the leak.

“We’re communicating directly with every member who’s been affected to explain what happened and what they can do,” Desjardins said on its website.

On Friday, Desjardins extended its offer to pay for a credit monitoring plan and identity theft insurance for affected members for five years, up from the 12 months announced a day earlier.

A detailed list of what Desjardins is doing about the breach can be found here.

Class action in the works

A proposed class action filed in Quebec Superior Court on Friday alleges the co-operative financial group was negligent in safeguarding its members’ personal and financial information.

The lawsuit argues Desjardins failed to live up to its obligations and owes affected members $300 each, plus punitive damages.

The suit has not yet been certified by a judge — a requirement before it can proceed.

Julie Courchesne, a Desjardins client for more than 35 years, said she’s “very frustrated” by the situation. She said the breach will lead to a feeling of uncertainty about her private information “for the rest of our lives.”

Warnings of fraud

In the aftermath of the data breach, Quebec’s regulator of financial institutions warned that Desjardins members may be the target of fraudulent emails, text messages and telephone calls.

“Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident,” the Autorités des marchés financiers (AMF) said Friday.

Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario. (Paul Chiasson/Canadian Press)

The AMF said you should “never reply” to such requests.

“Contrary to what the fraudsters may try to make you believe, such emails and text messages do not come from your financial institution, even if they bear the institution’s logo,” the statement said.