desjardins information leak

Montreal-based insurance group Desjardins Group is in hot water, after a data breach that affected 2.9 million customers has resulted in two separate class-action lawsuits.

According to the lawsuits, which were both filed in Quebec Superior Court, Desjardins Group is accused of violating their members’ privacy rights or negligently protecting said rights.

One lawsuit seeks compensatory and punitive damages, while the other seeks $300 per applicant for failing to live up to their obligations along with damages.

What Happened

According to Desjardins’ CEO, Guy Cormier, a former employee (he has since been fired from the company) shared members’ information with several third-party organizations.

The information belonged to approximately 2.7 million individuals and 173,000 business accounts—which makes up 41 percent of Desjardins members—and consisted of names, dates of birth, social insurance numbers, and addresses.

However, according to Desjardins, Passwords, security questions, and personal identification numbers were not part of the information shared.

According to recent reports, the breach was not caused by a group of hackers, but rather a disillusioned employee attempting to get back at the company. Immediately upon learning about the breach, the man—who has not been identified—was fired, and he was arrested by Laval police, although no charges have been filed.

Based on recent reports, it appears Desjardins became aware of a suspicious transaction in December 2018. Desjardins notified the police immediately, and after, five months of investigation discovered the data breach that was announced on June 20.

Assurance from Company

According to Quebec’s Autorité des marchés financiers, Desjardins handled the situation effectively, and they said in a statement: “Desjardins handled the situation with due rigour, transparency, and speed and that their cooperation provided to law enforcement is full and complete.”

In a statement issued shortly after the breach, Cormier said: “I’d like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud. If they suffer a financial loss as a result of this situation, they will get their money back. We regret this situation and are making every effort to ensure that it doesn’t happen again.”

Additionally, Desjardins offered to provide a credit monitoring service to affected members in addition to identity theft insurance for five years. Furthermore, Desjardins has also set up a hotline at 1-800-CAISSES (1-800-224-7737) that will operate from 9 a.m. to 9 p.m. which members can contact regarding concerns they have related to the data breach.

What Happens Now?

Affected members are being warned to watch out for fraudulent emails, texts, and phone calls.

Quebec’s Autorité des marchés financiers add that scammers may reach out to the victims under the guise of security measures related to the data breach.

Denis Meunier, former deputy director of the Financial Transactions and Reports Analysis Centre of Canada said: “With almost three million individuals and businesses affected, whoever he sold it do or disclosed it to…if that took place…that is a treasure trove to potentially make false refund claims on HST or income tax returns or even insurance.”