Desjardins Group announced Dec. 16 it has reached a proposed C$201 million (U.S. $155 million) settlement agreement in a class-action lawsuit following a long-running data breach that ultimately compromised the personal information of nearly 10 million individuals in Canada and abroad.

The proposed settlement follows an investigation that began in July 2019 by two privacy watchdogs: the Office of the Privacy Commissioner of Canada and its Quebec equivalent. As a Canadian financial services cooperative, Desjardins is subject to provincial data privacy compliance laws in Quebec but also must comply with federal data privacy requirements for its activities elsewhere in Canada.

The agencies concluded in their investigation that a “malicious” employee carried out the data breach by siphoning for at least 26 months personal information collected by Desjardins. The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses, and transaction histories.

“Such data elements can be considered sensitive on their own,” the agencies stated in their report on the investigation’s findings. “When combined, they can also be exploited by malicious individuals to steal the identities of the persons concerned.”

According to the findings of the investigation, published in December 2020, Desjardins stored personal information in two data warehouses: a credit data warehouse and a banking data warehouse. “Access to the latter was segmented according to whether the information was confidential (which included personal information) or non-confidential,” the report stated. “The credit data warehouse was not segmented, and employees with the necessary authorizations could access all the data, including personal information.”

Each month, one or more employees from Desjardins’ marketing department, in fulfilling their job duties as authorized personnel, would copy personal information from both data warehouses to the marketing department’s shared drive accessible to all department employees, according to the report. “Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely,” the report stated.

The malicious employee identified by Desjardins as the source of the breach “did not have access rights to personal information held in the banking data warehouse,” the report stated. “However, he did have access to other non-confidential information contained in this warehouse.”

Between March 2017 and May 2019, the employee copied this personal information from the shared drive onto his work computer and then onto USB keys. He sold some of the information to a private lender, with some details being forwarded further to a second private lender who was also a mortgage broker and his investment and insurance adviser partner, according to media reports cited in the findings.

“This partner allegedly admitted to investigators from the Autorité des marchés financiers that he paid $40,000 to buy lists of Desjardins members’ personal information,” the report stated.

Data privacy compliance violations

The joint investigation found Desjardins violated the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding accountability, data retention, and security safeguard requirements. Specifically, the investigation found Desjardins’ data protection measures to be inadequate in the following areas:

  • Policies and procedures: “In our view, Desjardins’ most significant failing in this area is with regard to the implementation of its policies and procedures,” the watchdogs said. “Despite the existence of many, we identified several examples of Desjardins having failed to take the necessary steps to ensure their complete and integrated implementation.”
  • Employee training and awareness: Although Desjardins performed ongoing training and awareness for all its employees covering data privacy protections, it did not demonstrate its employees understood “the importance of maintaining the confidentiality of personal information,” the agencies stated. “… In view of the sensitivity of the personal information held by Desjardins and the complexity of the issues related to protecting personal information within such an organization, we found that there were critical gaps in employee training and awareness at the time of the breach.”
  • Access controls and data segregation: Desjardins could have reduced the exposure of sensitive information by substituting it with non-confidential information, the report stated.
  • Oversight and monitoring: Desjardins only partially employed its active monitoring system to detect breaches. “Desjardins did not detect the data theft on its own,” the report noted. “It was the Laval police department that notified Desjardins after it discovered evidence of the breach in the course of a separate investigation involving the financial institution.”

Those affected by the breach include current and former Desjardins’ banking members and current and former clients with a credit card or in-store financing. According to complaints filed by those whose personal information was compromised, Desjardins had neither sufficiently protected their personal information against illicit accesses nor applied appropriate data retention periods.

The class-action settlement agreement has been submitted to the Superior Court of Quebec, where it must be approved before it can take effect. A hearing and ruling by the court will take place on a date to be determined in 2022.