Final amount to be confirmed in 2022

A class action lawsuit against Canadian financial services firm Desjardins has provisionally settled for C$201 million after a 2019 data breach exposed the personal information of 10 million customers.

Desjardins, a financial management firm based in Levis, Quebec, disclosed the data security incident in 2019.


BACKGROUND Data breach at Canadian financial services firm Desjardins highlights perils of insider threats


The breach, which spanned two years, was the result of “unauthorized and illegal access” to data by a “malicious” employee, says the firm.

Desjardins initially claimed that 2.9 million people were affected, but later revised this figure to 4.2 million. It eventually transpired, however, that 9.7 million were affected.

Settlement reached

Yesterday (December 16) the plaintiffs issued a press release confirming that a settlement figure has been reached.

It reads: “The settlement agreement provides for compensation for loss of time related to the personal information breach, as well as compensation for identity theft.

“In addition, the settlement agreement provides that all class members who have not yet registered for Equifax’s credit monitoring service offered by Desjardins can register and will thus be able to obtain, at no cost, Equifax coverage for five years, and the extension by at least five years of the other protective measures implemented by Desjardins following the breach.”


Read more of the latest data breach news


The settlement agreement needs to be approved by the Superior Court of Québec on a date to be determined in 2022. If it passes, class members can receive compensation totaling up to C$200,852,500 (around US$155 million).

Attorneys for the class action said that its members are “very pleased” with the settlement amount, which they said is “timely and fair compensation”.

Mind the gap

Back in 2020, the Canadian privacy commissioner Daniel Therrien said the incident “was caused by a series of gaps in administrative and technological safeguards”.

A report by the Office of the Privacy Commissioner of Canada (OPC) concluded: “The investigation into the breach at Desjardins sheds light on the risks of internal threats, whether they are intentional or not.

“The OPC stresses the importance of vigilance and a holistic approach to addressing and mitigating the impact of such threats.”


YOU MAY ALSO LIKE How expired web domains help criminal hackers unlock enterprise defenses