In a record-breaking legal agreement for the Canadian Financial sector, a $155 million out-of-court settlement between Financial Services giant Desjardins and multiple class-action plaintiffs was approved last Tuesday.
The lawsuit was brought against the co-operative on behalf of victims of a more than two-year-long data security breach incident in which a former employee stole the personal data of millions from the organization’s database.
On June 20, 2019, Desjardins issued a public announcement revealing that a 2018 investigation had discovered a “malicious” former employee stealing and selling the stored data of the company’s 4.2 million customers to a third party on the dark web.
The credit union stated that this settlement was not an admittance of liability on their part “…since the allegations made in the class actions were not proved before a court of law and are still contested by Desjardins,”
Desjardins also faces a separate proposed class-action lawsuit which was filed in British Columbia and remains unresolved.
What information was accessed during the breach?
Customer information accessed during the breach included first and last names, social insurance numbers, dates of birth, addresses, and emails as well as transaction histories, and details of product usage.
What happened during the data security breach?
The Privacy Commissioner of Canada (OPC) issued a 2020 publicly available report on Desjardin’s compliance with The Canadian Personal Information Protection and Electronic Documents Act which covered the period between 2017 and 2019 when the security breach took place.
The report found that although Desjardins had an adequate restriction on the data for their banking information, their credit data had no such security measures and anyone in the company with access to the data store would be capable of viewing all the information stored on the database.
The OPC also discovered that members of the company’s marketing department were habitually copying customers’ confidential data to a shared drive where it could be accessed by employees who did not have the necessary authorizations to access the databases themselves.
The former employee of Desjardins who sold customer information had access to this marketing drive and between the period of March 2017 and May 2019 downloaded personal and financial customer data onto USB keys.
The report recommended that Desjardins improve their security, data segregation, and monitoring procedures. The organization was also advised that it needed to address its data retention policies, commenting “an organization must not retain personal information longer than necessary to fulfill the purposes for which it was collected.”
Why do criminals purchase private data and personal Information?
As PBS reports, although some data breaches are political and national security threats, most data breaches have money as the main motivation. Stolen personal data and financial information are sold on illegal marketplaces on the dark web.
Once a criminal has purchased the information, they can use it to commit lucrative identity theft and credit card fraud crimes.
Is Data Theft from Companies on the Rise?
2021 saw a record number of data security breaches and criminal hacking of company information, and according to NASDAQ, that upward trend is continuing in 2022. In the first quarter of this year, data breaches were already up by 14% compared to the same period the year before.
How Can Victims Claim Their Share of the Compensation?
The law firms Kugler Kandestin and Siskinds Desmeules have been representing the interests of class action members and assure victims of the breach that they will be able to claim their share of the compensation, no matter where they are based.
Anyone who was affected by the security breach will be invited to make their claim to cover the time spent dealing with the consequences. This will be paid at a rate of $18 Canadian dollars per hour with a maximum of 5 hours allowable with each claim. An additional claim of $1,000 Canadian dollars can be made for anyone who was a victim of identity theft following the incident.
Desjardins has set up a dedicated website for victims of the incident which assures those who have been affected by the breach that they do not have to take any more action at this stage but can sign up to receive a notification when it is time for them to make a claim.
