What you need to know about the Desjardins data breach

The data breach at Desjardins Group is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 2.7 million people and 173,000 businesses.

Now, in its aftermath, there's a warning about fraudulent emails and a class-action lawsuit is in the works. 

Here's a breakdown of what went wrong and what's happening now.

What happened

Officials at Desjardins Group revealed June 20 that an employee improperly collected information about customers and shared it with a third party outside the financial institution, which is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers (SINs), email addresses and information about transaction habits. Passwords, security questions and personal identification numbers weren't compromised, according to Desjardins.

Desjardins flagged a suspicious transaction to Laval police last December, and it took several months for the institution to learn the scope of the scheme.

In May, police told Desjardins that the personal information of some of its members had been leaked. An internal investigation was then conducted with the help of Laval police.

The employee, a man who has not been publicly identified, was fired. He was arrested by Laval police but has not been charged.

What are the risks?

Desjardins said it has not seen a spike in fraud cases since the breach.

However, the credit union federation got more egg on its face when Claude Béland, the president of Desjardins from 1987 to 2000, told Radio-Canada on July 12 that he personally had been a victim of identity theft.

Many important questions remain about the breach, said one Montreal-based security expert.

"The first thing we need to find out is where is the information," said Claude Sarrazin, who has been watching the case closely, on June 21. 

"Who has control over that information?"

The head of the House of Commons public safety and national security committee, Liberal MP John McKay, chaired an emergency meeting to discuss the data breach on July 15. But he's not sure Canada's laws will ever be able to prevent breaches like the one at Desjardins.

At the behest of the Conservatives, the committee discussed the feasibility of issuing new SINs. Tens of thousands have signed a petition demanding new numbers.

• Commons committee chair questions Canada's ability to deal with incidents like Desjardins data breach

Federal officials told the committee that replacing SINs would offer less protection than the free credit check service Desjardins is offering victims of the data breach.

Desjardins Group President Guy Cormier fielded questions from the committee but told MPs his appearance was premature, given the ongoing police investigation.

The Office of the Privacy Commissioner of Canada and Commission d'accès à l'information du Québec have launched an investigation looking at whether Desjardins was in compliance with federal and provincial laws on personal information protection.

What Desjardins is doing

Desjardins said extra security measures have been put in place to protect data, such as requiring additional steps to confirm a member's identity. It is also contacting every member affected by the leak.

"We're communicating directly with every member who's been affected to explain what happened and what they can do," Desjardins said on its website.

Desjardins initially said it would pay for a credit-monitoring plan through Equifax and offer identity theft insurance for affected members for 12 months, but then a day later extended that coverage to five years.

After complaints from affected members about difficulties accessing and activating the Equifax monitoring plan, Cormier announced on July 15 that the federation will offer free, permanent data protection to all its members who use its banking services, with the exception of investment and insurance customers.

• Desjardins to offer all members free, lifelong protection after data breach

A detailed list of what Desjardins is doing about the breach can be found here.

Class action in the works

A proposed class action filed in Quebec Superior Court alleges the co-operative was negligent in safeguarding its members' personal and financial information.

The lawsuit argues Desjardins failed to live up to its obligations and owes affected members $300 each, plus punitive damages.

The suit has not yet been certified by a judge — a requirement before it can proceed.

Julie Courchesne, a Desjardins client for more than 35 years, said she's "very frustrated" by the situation. She said the breach will lead to a feeling of uncertainty about her private information "for the rest of our lives."

Warnings of fraud

In the aftermath of the data breach, Quebec's regulator of financial institutions warned that Desjardins members may be the target of fraudulent emails, text messages and telephone calls.

"Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident," Quebec's Autorité des marchés financiers said on June 21.

The AMF said you should "never reply" to such requests.

"Contrary to what the fraudsters may try to make you believe, such emails and text messages do not come from your financial institution, even if they bear the institution's logo," the statement said.