Desjardins data breach affecting 2.9 million members leads to class-action lawsuit

Desjardins President and CEO Guy Cormier leaves a news conference in Montreal on Thursday, June 20, 2019. Paul Chiasson/The Canadian Press

Desjardins Group is facing a legal backlash after a pair of class-action lawsuits were initiated in connection with a data breach affecting nearly three million members.

Filed in Quebec Superior Court, the proposed class actions allege the financial co-operative either violated its members’ privacy rights or showed negligence in safeguarding their personal and financial information.

Desjardins chief executive Guy Cormier said Thursday a former employee shared the personal information of more than 2.9 million members with third parties outside of the organization.

READ MORE: Desjardins says personal info of 2.9 million members shared illegally by employee

The data includes social insurance numbers, names and addresses, and affects 2.7 million individual members and 173,000 business members.

One application, filed Thursday by law firm Siskinds Desmeules on behalf of a Quebec City resident, seeks compensatory and punitive damages.

Story continues below advertisement

The other, filed Friday by the law firms LPC Avocat and Kugler Kandestin on behalf of a Montrealer, says the fact that additional security measures were implemented following the internal breach suggests Desjardins failed to live up to its obligations and owes the applicant $300, plus damages.

Breaking news from Canada and around the world sent to your email, as it happens.

On Friday, Desjardins extended its offer to pay for a credit monitoring plan and identity theft insurance for affected members to five years, up from the 12 months announced Thursday.

READ MORE: Desjardins Insurance app raises privacy concerns for drivers

Quebec’s financial watchdog is warning Desjardins members they may be the target of fraudulent emails, texts and phone calls.

“Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident discovered on June 20, 2019,” the financial markets regulator said in a release.

The first proposed lawsuit notes that the full impact of the “illegal data transmission” _ affecting 41 per cent of Desjardins members and first detected in December _ remains “unknown.”

“With almost three million individuals and businesses affected, whoever he sold it do or disclosed it to…if that took place…that is a treasure trove to potentially make false refund claims on HST or income tax returns or even insurance,” said Denis Meunier, former deputy director of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

Story continues below advertisement

WATCH: Russia demands Tinder turn over personal user data

Click to play video: 'Russia demands Tinder turn over personal user data'
Russia demands Tinder turn over personal user data

Sponsored content