Canada's Desjardins Settles Data Breach Lawsuit for $155M4.2 Million Customers' Private Details Sold by 'Malicious' Insider for 26 Months
Canadian financial services cooperative Desjardins Group has reached an out-of-court settlement with multiple plaintiffs to resolve a data breach class action lawsuit. The breach, which was publicly disclosed in June 2019, involved a "malicious" insider stealing and selling personal details for 4.2 million active customers of the credit union group.
See Also: 2022 Unit 42 Incident Response Report
The settlement, submitted to the Superior Court of Quebec on May 24 and approved Tuesday, will provide nearly 201 million Canadian dollars ($155 million) to class members.
"Class members do not need to take any action at this stage to be included in the authorized class actions," according to details of the settlement published by Desjardins to a dedicated website.
"This action follows the public announcement by Desjardins that on June 20, 2019, a former employee stole and transmitted to third parties the personal and confidential information of millions of its members and customers, including their names, dates of birth, social insurance numbers, as well as certain information on their transactional habits and the products they use," according to court documents.
The former employee allegedly stole the information for more than two years and was selling it on darknet markets and other cybercrime forums.
The Canadian law firms of Siskinds Desmeules and Kugler Kandestin have been representing all members of the class action lawsuit against Desjardins. Their court-approved legal fees are being covered separately by Desjardins. The firms say any breach victim will be able to claim compensation, regardless of where they live.
Record-Setting Agreement for Sector
News agency The Canadian Press reports that this is the largest data breach settlement Canada's financial services sector has ever agreed on.
Details of the agreement and how class members can apply for compensation are being published online and will also be published in a number of national and local newspapers beginning on July 21.
Anyone affected by the data breach can already register for prepaid credit monitoring services from Equifax, which will last for five years from registration.
Starting next month, anyone affected by the breach will be able to submit a claim for lost time spent dealing with the breach, billed at $18 in Canadian dollars per hour for a maximum of five hours. They can also submit a claim for up to $1,000 in Canadian dollars if they were an identity theft victim.
"The settlement agreement is intended to resolve all claims related to the privacy breach by providing compensation to class members and releasing Desjardins from future lawsuits that relate to the privacy breach," the company says.
"The compensation paid by Desjardins does not constitute an admission of liability since the allegations made in the class actions were not proved before a court of law and are still contested by Desjardins," it adds.
This settlement agreement doesn't resolve every lawsuit filed against Desjardins over the breach. One proposed class action lawsuit, filed in British Columbia in June 2019, remains ongoing.
Privacy Watchdogs Investigate
The data breach was detected in December 2018 and was first announced publicly by Desjardin Group in June 2019, when it also reported the breach to both the Office of the Privacy Commissioner of Canada - enforcer of Canada's data privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA - and to Quebec's privacy watchdog, the CAI. The two watchdogs launched a joint investigation.
When Desjardins initially disclosed the breach, it suspected information on about 3 million members and customers had been exposed. But later in 2019, as a police investigation continued, the financial services firm reported that the amount of exposed information in fact pertained to 4.2 million customers.
How Data Breach Occurred
In 2020, the OPC issued a report into Desjardin's PIPEDA compliance from 2017 to 2019, covering the period during which the former employee was allegedly stealing customer data, which spanned at least 26 months.
The OPC found that the compromised information was being stored in two data warehouses: one for credit data and another for banking. While the banking data warehouse was segmented and access to confidential information was restricted, it found that no such controls were in place for the credit data warehouse and that anyone with access to that store of data could view everything being stored.
In addition, it found that marketing employees with sufficient access rights were regularly copying confidential information from both of the data warehouses to a shared marketing drive. "Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely," the OPC reported.
That "malicious" ex-employee appears to have had access to the shared marketing drive. The OPC found that that "between March 2017 and May 2019, the malicious employee copied … personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer and then onto USB keys," all of which "was in contravention of the confidentiality agreement he signed in the course of his employment."
Victims at Risk of Identity Theft
Exposed information included "first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories," which in various combinations could be used to perpetrate identity theft, the OPC found.
The OPC issued multiple recommendations for Desjardins, including improving controls around five areas:
- Security screening and confidentiality agreements;
- Organizational policies and procedures;
- Employee training and awareness;
- Access controls and data segregation;
- Oversight and monitoring.
The OPC also called on Desjardins to review its document retention policies, noting that under PIPEDA, "an organization must not retain personal information longer than necessary to fulfill the purposes for which it was collected."
Desjardins Overhauls Security Program
The OPC reported in December 2020 that Desjardins had accepted its recommendations and had already begun to put in place numerous changes, including overhauling its security program and creating a dedicated security office, as well as filing regular updates to the OPC.
By this month, Desjardins also planned to have implemented a data retention and destruction plan under which it would erase unused information within six months, if sensitive, and up to 18 months, if not sensitive.