What you need to know about the Desjardins data breach

The data breach at Desjardins Group is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 2.7 million people and 173,000 businesses.

Now, in its aftermath, there's awarning about fraudulent emails and a class-action lawsuit is in the works.

Here's a breakdown of what went wrong and what's happening now.

What happened

Officials atDesjardins Group revealed June 20that an employee improperly collected information about customers and shared it with a third party outside thefinancial institution, which is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers (SINs), email addresses and information about transaction habits. Passwords, security questions and personal identification numbers weren't compromised, according to Desjardins.

Desjardinsflagged a suspicious transaction to Laval police last December, and it took several months for the institution to learn the scope of the scheme.

In May, police told Desjardins that the personal information of some of its members had been leaked. An internal investigation was then conducted with the help of Laval police.

The employee, a man who has not been publicly identified, was fired. He was arrested by Laval police but has not been charged.

What are the risks?

Desjardins said it has not seen a spike in fraud cases since the breach.

However, the credit union federation got more egg on its face when Claude Bland, the president of Desjardins from 1987 to 2000, told Radio-Canada on July 12 that he personally had been a victim of identity theft.

Many important questions remain about the breach, said one Montreal-based security expert.

"The first thing we need to find out is where is the information," said Claude Sarrazin, who has been watching the case closely, on June 21.

"Who has control over that information?"

The headof the House of Commons public safety and national security committee, Liberal MP John McKay, chairedan emergency meeting to discuss the data breach on July 15. But he's not sure Canada's laws will ever be able to prevent breaches like the one at Desjardins.

At the behest of the Conservatives, the committee discussed the feasibility of issuing new SINs. Tens of thousands have signed a petition demanding new numbers.

• Commons committee chair questions Canada's ability to deal with incidents like Desjardins data breach

Federal officials told the committee that replacing SINs would offer less protectionthan the freecredit check serviceDesjardins is offering victims of the data breach.

Desjardins Group President Guy Cormierfielded questions from the committeebut told MPshis appearance was premature, given the ongoing police investigation.

The Office of the Privacy Commissioner of Canadaand Commission d'accs l'information du Qubec have launched an investigation looking at whether Desjardins was in compliance with federal and provincial laws on personal information protection.

What Desjardins is doing

Desjardins said extra security measures have been put in place to protect data, such as requiring additional steps to confirm a member'sidentity. It is also contacting every member affected by the leak.

"We're communicating directly with every member who's been affected to explain what happened and what they can do," Desjardins said on its website.

Desjardins initially said it wouldpay for a credit-monitoring plan through Equifax and offer identity theft insurance for affected members for 12 months, but then a day later extended that coverage to five years.

After complaints from affected members about difficulties accessing and activating the Equifax monitoring plan, Cormierannounced on July 15 that the federation will offer free, permanent data protection to all its members who use its banking services, with the exception of investment and insurance customers.

• Desjardins to offer all members free, lifelong protection after data breach

A detailed list of what Desjardins is doing about the breach can be found here.

Class action in the works

A proposed class action filed in Quebec Superior Courtalleges the co-operativewas negligent in safeguarding its members' personal and financial information.

The lawsuit argues Desjardins failed to live up to its obligations and owes affected members $300 each, plus punitive damages.

The suit has not yet been certified by a judge a requirement before it canproceed.

Julie Courchesne, a Desjardins client for more than 35 years, said she's "very frustrated" by the situation. She said the breach will lead to a feeling of uncertainty about her private information "for the rest of our lives."

Warnings of fraud

In the aftermath of the data breach, Quebec's regulator of financial institutions warned that Desjardins membersmay be the target of fraudulent emails, text messages and telephone calls.

"Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident,"Quebec'sAutorit des marchs financierssaid on June 21.

The AMF said you should "never reply" to such requests.

"Contrary to what the fraudsters may try to make you believe, such emails and text messages do not come from your financial institution, even if they bear the institution's logo," the statement said.