A breach that exposed personally identifiable information (PII) on 2.9 million Desjardins customers cost the Canadian credit union $53 million in Q2.
To accommodate users whose information was breached when an employee insider used internal data without authorization, the lender accrued the cost of offering credit monitoring as well as identity theft insurance for five years.
The consumer data leaked included first and last name, date of birth, social insurance number, address, phone number, email address and details about their banking habits and Desjardins products.
For business customers, names, addresses, telephone numbers, and the names of owners and AccèsD Affaires account users were leaked. Some information about owners or AccèsD Affaires users may have also been affected. The employee in question was fired and arrested by the Laval police.
“Unfortunately, it seems that the
amount is merely a harbinger of much higher financial losses and spiraling
spending that will likely last for years,” Ilia Kolochenko, founder and CEO of ImmuniWeb. “Most businesses foreseeably downplay data breach
losses, omitting vital components of the inflicted damages in their
calculations.”
The costs will continue to add up for years as the company faces lawsuits. “Penalties
and regulatory fines imposed by the governments, often in different countries
thereby aggravating the costs, likewise are not of an immediate nature,” said Kolochenko.
Noting that the ongoing reputational damage and loss of business is “frequently
incremental but somewhat imperceptible,” he explained that “most customers and
partners won’t resign their contracts with a hacked company immediately after
the incident for a diversity of practical reasons, though they will undoubtably
have less intention of renewing their contracts afterwards.”