Desjardins says info for 2.9M members shared outside of organization

MONTREAL — Desjardins Group said Thursday a former employee shared the personal information of more than 2.9 million of its members with individuals outside of the organization in a “malevolent” act.

The Quebec-based financial institution said the breach, first detected in December, affects 2.7 million individual members and 173,000 business members.

It said the situation is the result of unauthorized and illegal use of its internal data by an employee who has since been fired. Desjardins didn’t reveal the employee’s identity.

No charges have been laid. Laval police said a male suspect was detained, but is no longer in custody.

Desjardins noted the incident, which affected more than 40 per cent of its members, was not the result of a cyberattack and that its computer systems were not breached from the outside.

Desjardins Group chief executive Guy Cormier said the lone suspect “acted illegally, betraying the confidence of Desjardins.”

“Honestly, this situation right now is totally unacceptable,” Cormier told reporters, calling the breach “malevolent.”

“We regret this situation and are making every effort to ensure that it doesn’t happen again.”

Individual members of the Desjardins financial co-operative may have had several pieces of information released, including name, date of birth, social insurance number, address, phone number, email address and banking habits.

Passwords, security questions and personal identification numbers were not compromised, the organization said.

Business members had information such as their business name, addresses, telephone numbers and owner names exposed.

Desjardins said it is working with police and has implemented additional security measures.

It filed a complaint with police in Laval, Que., in December after detecting an “irregular situation,” Cormier said. Police told executives in late May that some members had been affected, and confirmed on June 14 that a much larger pool was impacted.

As a precaution, Desjardins said it’s also offering to pay for a credit monitoring plan and identity theft insurance for 12 months for affected members — a typical move made by companies that have suffered a major security breach.

Customers affected financially by the breach will be reimbursed, executives said, but declined to put a number on the potential cost to the organization.

“We’re talking potentially about fraud. But we cannot answer. It’s connected to the investigation that is underway by the police authority,” said operations chief Denis Berthiaume.

He added the organization has not seen an uptick in fraud incidents.

Police declined to offer a possible motive for the breach, noting the investigation is ongoing.

Laval police Insp. Francois Dumais said charges could be filed.

“It’s not impossible that there are other people implicated,” Dumais added.

The Office of the Privacy Commissioner of Canada said Desjardins notified it of the breach.

“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns. At this point in time we have not opened a formal investigation, but our office is closely engaging with Desjardins,” spokeswoman Tobi Cohen said in an email.

David Masson, country manager for cybersecurity firm Darktrace, said the breach is “a classic example of ‘insider threat.’ “

“Somebody on the inside, somebody with a pass to the building, someone with a password on the network, someone who understands the organization and who for whatever reason — and there always is a reason but we don’t know what that is — decides to do a bit of damage,” he said. “And in this case they’ve done quite a lot of damage.”

Masson said it’s tough to know how the breach compares with past incidents at other Canadian companies because they weren’t required to report such security violations until November, when the Digital Privacy Act came into force.

“It’s a big one, that’s for sure,” he said.

Mark Sangster, a vice-president at cybersecurity company eSentire, stressed a stricter approach to digital protection and privacy.

“Blaming the insider employee not only lets Desjardins off the hook but also does nothing to change how we should be approaching cybersecurity investigations to protect people’s most personal pieces of information that companies hold today,” he said in an email.

The security breach is among the biggest in Canada to come about internally, rather than via external cyberattacks, in recent years.

The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.

In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Alberta legislature to resume with throne speech, tabling of blockade bill

EDMONTON — Alberta politicians are returning to the legislature with a promise… Continue reading

Drugmaker readies possible coronavirus vaccine for testing

Drugmaker Moderna has shipped its first batch of a possible coronavirus vaccine… Continue reading

Scotiabank reports $2.3B first-quarter profit, tops expectations by analysts

TORONTO — Bank of Nova Scotia is optimistic its international ventures are… Continue reading

A look at carbon prices across the country

OTTAWA — As of Jan. 1, every Canadian and all Canadian businesses… Continue reading

More Red Deer seniors could be dealing with homelessness, inadequate housing in future

Red Deer is short 200 affordable seniors’ housing units: Bridges study shows

Your community calendar

Feb. 19 A Liberation of Holland event is being held at the… Continue reading

Kids under 12 banned from heading soccer balls in practice

LONDON — Children up to the age of 12 will be banned… Continue reading

Oilers among winners, Panthers losers at NHL trade deadline

Mired in a run of one playoff appearance in 13 seasons, the… Continue reading

‘Mixed verdict’ in Weinstein case may disappoint some #MeToo supporters: scholar

The verdict in Harvey Weinstein’s sexual assault trial is in, but Canadian… Continue reading

Ex-coach gets 6 months in college scam, runs from courthouse

BOSTON — The former men’s tennis coach at the University of Texas… Continue reading

Kenney says investor confidence needed after Teck mine project killed

EDMONTON — Alberta Premier Jason Kenney says his government is taking action… Continue reading

‘They loved life’: Family and friends give tearful tributes at Kobe Bryant at memorial

LOS ANGELES —Tears streamed down Vanessa Bryant’s face as she spoke about… Continue reading

Feds introduce bill dropping some restrictions on assisted dying

OTTAWA — The Trudeau government has introduced legislation aimed at making it… Continue reading

Most Read