Breach cost $53m in Q2, says Desjardins

Canadian personal and business financial services cooperative Desjardins has revealed that it spent the equivalent of $53m or nearly £44m in the second quarter related to a data breach earlier this year.

The data breach, reported in June 2019, exposed data for approximately 2.9 million members including individuals and businesses.

The breach was blamed an “ill-intentioned employee” who was subsequently dismissed for disclosing the data “to individuals outside Desjardins without authorisation”. Dejardins said the company was not the victim of a cyber attack and its computers were in no way breached.

However, it has not specified what customer data was accessed and who it was shared with, according to SearchSecurity. The company said only that account passwords, security questions and personal identification numbers (PINs) were not exposed.

Desjardins said it “introduced additional monitoring and security measures” to protect customer information and sent a letter to all members affected by the incident and offered all affected members accredit monitoring plan and identity theft insurance with Equifax for five years.

In addition, on 15 July 2019, Desjardins Group announced all its members were automatically protected against identity theft.

“The expenses related to costs incurred and the establishment of a provision with respect to the implementation of these protections for our members, totalling C$70m, have been recognised in profit or loss in the second quarter of 2019,” the company said in its latest financial report.

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said the second-quarter cost is likely to be the start of financial losses and spiralling spending that will likely last for years.

“Most businesses foreseeably downplay data breach losses, omitting vital components of the inflicted damages in their calculations,” he said.

According to Kolochenko, individual and collective lawsuits initiated by the victims, even if settled with comparatively “scanty compensation” afterwards, usually end years after the breach.

“Penalties and regulatory fines imposed by the governments, often in different countries thereby aggravating the costs, likewise are not of an immediate nature,” he said.

“Last but not least, the ongoing reputational damage and loss of business is frequently incremental, but somewhat imperceptible. Most customers and partners won’t resign their contracts with a hacked company immediately after the incident for a diversity of practical reasons, though they will undoubtably have less intention of renewing their contracts afterwards.”

Cyber security insurance is one possibility that organisations should explore to handle data breaches, said Kolochenko.

“However, given the emerging nature of this market, it’s a slippery slope and insurance contracts should be meticulously revised by a trusted law firm and cyber security experts for mushrooming exceptions and waivers,” he said.