What you need to know about the Desjardins data breach

The data breach at Desjardins Group is thought to be one of the largest ever among Canadian financial institutions. Here's a breakdown of what went wrong and what's happening now.

Warnings of fraud, possible lawsuit after financial institution says members' info leaked

Guy Cormier, president and CEO of Desjardins Group, announced Thursday that an employee improperly accessed and shared the information of 2.7 million individuals and some 173,000 businesses. (Ivanoh Demers/Radio-Canada)

The data breach at Desjardins Group is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 2.7 million people and 173,000 businesses.

Now, in its aftermath, there's a warning about fraudulent emails, and a class-action lawsuit is in the works. 

Here's a breakdown of what went wrong and what's happening now.

What happened

Officials at Desjardins revealed Thursday an employee improperly collected information about customers and shared it with a third party outside the financial institution, which is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. Passwords, security questions and personal identification numbers weren't compromised, according to Desjardins.

The employee, a man who has not been publicly identified, was fired. He was arrested by Laval police but has not been charged.

What are the risks?

Desjardins said it has not seen a spike in fraud cases since the breach.

But important questions remain, says one Montreal-based security expert.

"The first thing we need to find out is where is the information — that wasn't answered yesterday," said Claude Sarrazin, who has been watching the case closely. "Who has control over that information?"

Desjardins flagged a suspicious transaction to Laval police last December, and it took several months for the institution to learn the scope of the scheme.

François Dumais, left, an inspector with Laval police, took part in Thursday's news conference. The police service assisted with an investigation at Desjardins. (Ivanoh Demers/Radio Canada)

In May, police told Desjardins that the personal information of some of its members had been leaked. An internal investigation was then conducted with the help of Laval police.

What Desjardins is doing

Desjardins said extra security measures have been put in place to protect data, such as requiring additional steps to confirm a member's identity. It is also contacting every member affected by the leak.

"We're communicating directly with every member who's been affected to explain what happened and what they can do," Desjardins said on its website.

On Friday, Desjardins extended its offer to pay for a credit monitoring plan and identity theft insurance for affected members for five years, up from the 12 months announced a day earlier.

A detailed list of what Desjardins is doing about the breach can be found here.

Class action in the works

A proposed class action filed in Quebec Superior Court on Friday alleges the co-operative financial group was negligent in safeguarding its members' personal and financial information.

The lawsuit argues Desjardins failed to live up to its obligations and owes affected members $300 each, plus punitive damages.

The suit has not yet been certified by a judge — a requirement before it can proceed.

Julie Courchesne, a Desjardins client for more than 35 years, said she's "very frustrated" by the situation. She said the breach will lead to a feeling of uncertainty about her private information "for the rest of our lives."

Warnings of fraud

In the aftermath of the data breach, Quebec's regulator of financial institutions warned that Desjardins members may be the target of fraudulent emails, text messages and telephone calls.

"Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident," the Autorités des marchés financiers (AMF) said Friday.

Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario. (Paul Chiasson/Canadian Press)

The AMF said you should "never reply" to such requests.

"Contrary to what the fraudsters may try to make you believe, such emails and text messages do not come from your financial institution, even if they bear the institution's logo," the statement said.

About the Author

Benjamin Shingler covers politics, immigration and social issues for CBC Montreal. Follow him on Twitter @benshingler.

With files from CBC's Lina Forero


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.