Data breach that exposed personal information of 2.9 million members costs Canadian financial firm millions
Desjardins Group, a Canadian financial cooperative group, has admitted that a recent data breach has cost it a whopping C$70m ($53m US or £44m).
Desjardins in June admitted that an “ill-intentioned” staff member had illegally exposed the personal information of some 2.9 million credit union members in one of Canada’s largest data breaches.
“This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired,” said the firm back in June. “In light of these events, and given the circumstances, additional security measures were put in place on all accounts. Desjardins Group will be sending a letter to all members affected by the incident.”
The leaked information included first and last name, date of birth, social insurance number, address, phone number, email address and details about customers banking habits and Desjardins products they use.
Thankfully, it seems that no passwords, security questions, and PINs were compromised.
“I’d like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud,” said Guy Cormier, President and CEO of Desjardins Group back in June. “If they suffer a financial loss as a result of this situation, they will get their money back. We regret this situation and are making every effort to ensure that it doesn’t happen again.”
The company offered the affected customers a credit monitoring plan and identity theft insurance for five years, without any additional costs to those customers.
But the cost of doing the right thing has been expensive for the Canadian firm.
“As for the privacy breach, a total of $70 million in expenses and provisions for the implementation of protections for our members (i.e. the credit monitoring plan and the identity theft solution for Desjardins caisse members) were recognized in the second quarter of 2019,” said the firm in its second quarter financial results.
And at least one security expert has warned that organisations will likely face rising costs associated with any data breach in the coming years, and many would consider some form of cyber insurance policies.
“Unfortunately, it seems that the amount is merely a harbinger of much higher financial losses and spiraling spending that will likely last for years,” warned Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.
“Most businesses foreseeably downplay data breach losses, omitting vital components of the inflicted damages in their calculations,” said Kolochenko.
“Individual and collective lawsuits initiated by the victims, even if settled with comparatively scanty compensation afterwards, usually end years after the breach,” he added. “Penalties and regulatory fines imposed by the governments, often in different countries thereby aggravating the costs, likewise are not of an immediate nature.”
“Last but not least, the ongoing reputational damage and loss of business is frequently incremental but somewhat imperceptible,” said Kolochenko. “Most customers and partners won’t resign their contracts with a hacked company immediately after the incident for a diversity of practical reasons, though they will undoubtably have less intention of renewing their contracts afterwards.”
“Cybersecurity insurance may be an explorable avenue to handle, often inevitable, data breaches with less costs,” he concluded. “However, given the emerging nature of this market, it’s a slippery slope and insurance contracts shall be meticulously revised by a trusted law firm and cybersecurity experts for mushrooming exceptions and waivers.”
Do you know all about security? Try our quiz!