The 9.7 million victims of the gigantic theft of personal data at Desjardins in 2019 will have to remain on guard until the end of their days because this information could be resold “at any time,” experts warn.
“When data is compromised once, it’s compromised forever,” says cybersecurity specialist Steve Waterhouse in an interview.
“The fraudsters, they have money to make, and they don’t give a damn about your wishes in life,” he continues. So they will resell the information as quickly as possible to monetize [les renseignements]but if it doesn’t work, they’ll try again in three years, in five years, whenever.”
- Listen to the interview with Denis Therriault, journalist on the JE show on Alexandre Dubé’s microphone via QUB :
Permanent risks
This means that everyone must remain on their guard at all times, adds another specialist, Paul Laurier, president of the company specializing in cyber investigation Vigiteck.
“All these people are always exposed to phishing attempts and fraud,” he emphasizes. “Unfortunately, that often means endless fights with the financial institution, and with the police who don’t always take complaints.”
Mr. Laurier also believes that it is “certain” that the scammers will succeed in thwarting the protections that have been put in place by Desjardins. “Dual ID to log in is great, but as long as criminals can control two entrances, they can have access to everything. Theoretically, it’s difficult, but in practice, it can be done,” he says.
“With 9 million accounts available, someone will find a loophole, that’s for sure,” he concludes.
Marked for life
This is without taking into account that victims of identity theft are often scarred for life, as evidenced by the story of a retiree from Terrebonne who still lives in a state of hypervigilance even five years after the disaster (see other text).
In addition to the psychological consequences, this type of crime often has very concrete impacts on daily life, notes the co-director general of the Consumers’ Union, Maxime Dorais, recalling that identity theft can ruin a credit rating. and at the same time destroy a person’s chances of obtaining financing, and even worse.
“The problem is that credit score isn’t just used for financial purposes. There are landlords and employers who ask to do credit checks before choosing a tenant or an employee, and candidates who refuse are often frowned upon,” he laments.
“And it’s far from simple to correct a credit file, it’s really an obstacle course. It can take several months, and you have to work hard. It causes economic harm and stress that nothing can compensate for,” adds Mr. Dorais.
June 20 will mark the fifth anniversary of the announcement of the massive theft of data at Desjardins by the current CEO, Guy Cormier. This leak of personal information, the largest in Quebec history, caused 9.7 million victims in addition to triggering a vast police operation and shaking confidence in the financial institution.
A $318 million bill and rolling heads
The data leak will have cost Desjardins more than $300 million: at least $108 million in internal costs as well as for the implementation of protection measures intended for members and customers, to which must be added the maximum sum of $201 million for compensation paid to victims and $8.5 million paid to class action lawyers. Desjardins also had to thoroughly review its security measures, notably prohibiting the use of USB keys, on which the suspects had stored the stolen data. Finally, two senior managers, Denis Berthiaume and Chadi Habib, left the cooperative at the end of 2019. They are now employed by iA Financial Group and WSP Global.
Much steeper fines
If the data leak happened again today, Desjardins would likely have to pay a hefty fine. Law 25, adopted in 2021 by the National Assembly, established the maximum fine payable following a confidentiality incident at $25 million. The law also imposed new requirements on businesses regarding the protection of personal information. Finally, Bill 53, adopted in 2020, allows Quebecers to ask credit agencies like Equifax and TransUnion to “freeze” their file to prevent credit card accounts from being opened without their knowledge.
Permanent risks, “permanent protection”
In the weeks following the announcement of the disaster, Desjardins announced that affected customers could benefit from credit monitoring services from the Equifax firm for a period of five years, before deciding a few days later to offer a “permanent protection” to all members and clients of the Movement. Thus, the assets they hold and the financial transactions they carry out are protected in the event of an unauthorized transaction. In the event of identity theft, members are entitled to a maximum reimbursement of $50,000 for costs or expenses as part of a process to resolve the situation.
Modest compensation
After nearly five years, the victims of the gigantic leak of personal information began to be compensated by Desjardins in recent months, following an amicable settlement of $200 million concluded in 2021 with two accounting firms. lawyers who had filed class actions the day after the announcement of the data theft. Under this agreement, victims of identity theft will receive a payment of $935, and those who lost time taking steps due to the leak can receive an amount of $90. Unlike lost time claims, identity theft claims can still be filed with class action administrator Ricepoint until October 20, 2025.
Gaps in defense systems, according to the AMF
The slap in the face was sharp, in 2020, in a report signed AMF. Desjardins was accused of having ignored “the multiple findings and recommendations of the AMF and auditors” made Before data theft. The coop had “failed in its legal obligations”. On Thursday, the AMF assured the Journal that the measures required by the gendarme in December 2020 have been put in place. The Authority also recalled that it is not its role to manage financial institutions for them. A firm of independent experts approved by the AMF is responsible for monitoring Desjardins in the implementation of best practices within the industry, the AMF swears to Quebecers.
With the collaboration of Sylvain Larocque and Julien McEvoy
Do you have any information to share with us about this story?
Write to us at or call us directly at 1 800-63SCOOP.
