Desjardins to pay nearly $201M in settlement related to 2019 data breach

Click to play video: 'Desjardins data breach a test of Bill C-59 and its various interfaces'
Desjardins data breach a test of Bill C-59 and its various interfaces
John McKay, Public Safety and National Security Committee chair, tells Eric Sorensen that even though it was a rogue employee who stole the names, addresses and social insurance numbers of nearly three million Canadians, these actions may have more serious implications – Jul 14, 2019

Financial services firm Desjardins Group will pay up to nearly $201 million to settle a class-action lawsuit related to a data breach in 2019 that affected nearly 9.7 million Canadians.

The agreement, which is subject to approval by the Quebec Superior Court, would allow eligible individuals who were affected by the privacy breach announced in June 2019 to receive a payment.

The settlement applies to members and former members as well as clients and former clients of the financial co-operative who have held Desjardins credit cards or financing products.


Desjardins says there’s no need for people to contact it before the agreement is approved and a claims process begins.

Story continues below advertisement

Plaintiff law firms Siskinds Desmeules and Kugler Kandestin say the agreement provides compensation for loss of time related to the personal information breach, as well as compensation for identity theft.

Click to play video: 'How to better protect yourself from data hacking'
How to better protect yourself from data hacking

It also provides members Equifax credit monitoring service coverage for five years, and an extension by at least five years of the other protective measures implemented by Desjardins following the breach.

Financial news and insights delivered to your email every Saturday.

A report by the federal Privacy Commissioner attributed the data breach to a series of technological and administrative gaps at Desjardins.

For at least 26 months, a rogue employee siphoned sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, a report by the commissioner found.

Story continues below advertisement

For some, the data included first and last names, dates of birth, social insurance numbers, street addresses, telephone numbers, email addresses and transaction histories.

The breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by police, he added.

Sponsored content