After a 2019 data breach exposed the personal information of 10 million clients, a class action lawsuit against Canadian financial services provider Desjardins has been provisionally settled for C$201 million. According to the company, the breach lasted two years and was caused by "unauthorised and illegal access" to data by a "malicious" employee. Desjardins first reported that 2.9 million persons were affected, however this amount was later revised to 4.2 million. However, it was later revealed that 9.7 million people were affected.
The Desjardins Group is a Canadian financial services cooperative and North America's largest credit union federation. Alphonse Desjardins started it in 1900 in Lévis, Quebec. While the company's legal headquarters remain in Lévis, the majority of its executive management, including the CEO, is situated in Montreal. Desjardins Group was comprised of 293 local credit unions operating 1,032 points of operation and serving over seven million members and clients, primarily in the provinces of Quebec and Ontario, as of 2017.
The plaintiffs released a press release on December 16th indicating that a settlement figure had been reached. It reads: “The settlement agreement provides for compensation for loss of time related to the personal information breach, as well as compensation for identity theft. In addition, the settlement agreement provides that all class members who have not yet registered for Equifax’s credit monitoring service offered by Desjardins can register and will thus be able to obtain, at no cost, Equifax coverage for five years, and the extension by at least five years of the other protective measures implemented by Desjardins following the breach.”
The settlement agreement must be authorised by the Superior Court of Québec on an unspecified date in 2022. If it is approved, class members might get up to C$200,852,500 (about US$155 million) in compensation. The class action's attorneys stated that its members are "very pleased" with the settlement sum, which they described as "timely and fair compensation."
According to the federal Privacy Commissioner's findings, the data breach was caused by a succession of technological and administrative flaws at Desjardins. A rogue employee stole sensitive personal information obtained by Desjardins from clients who purchased or received products through the organisation for at least 26 months, according to the commissioner's investigation. Some of the information included first and last names, dates of birth, social security numbers, street addresses, phone numbers, email addresses, and transaction histories.