Skip to main content

Report on Business Desjardins Group suffers massive data breach of 2.9 million members by rogue employee

A rogue employee of Desjardins Group has leaked the personal information of 2.9 million members of the financial services co-operative, but executives tried to reassure customers Thursday that their money is safe.

The personal information included names, birth dates, social insurance numbers and e-mail, telephone and home addresses, according to Desjardins Group chief executive Guy Cormier. Account access information such as passwords, personal identification numbers and identity-confirmation questions were not leaked, he stressed. He also emphasized the breach was not the result of a cyberattack or other external theft.

“That a member of our organization decided to betray our members … I can’t say all the words that come to mind. I’m indignant. It’s totally unacceptable,” Mr. Cormier said.

Story continues below advertisement

A suspicious transaction led credit union officials to call the police in late 2018, but the extent of the information breach started to become clear only last week, Mr. Cormier said. The company has fired the responsible employee, he said.

Sergeant François Dumet of the Laval police said investigators arrested one man and charges will be forthcoming. He refused to say whether others are under investigation. “I can tell you this is a criminal infraction,” he said. “But we can’t give you too many details with the investigation still under way.”

Desjardins facing class-action suit in wake of major data breach

Freedom Mobile hit by data breach, up to 15,000 customers affected

Equifax fell short of privacy obligations to Canadians during, after 2017 data breach: privacy commissioner

Yahoo reaches $117.5-million settlement over data breach after earlier deal rejected

The data breach is among the largest known leaks in the Canadian financial services sector, but reporting requirements have been uneven historically. Canada passed regulations requiring disclosure only in 2018. That year, the Bank of Montreal and online bank Simplii Financial suffered data breaches involving 90,000 customers total.

In the United States, hackers accessed the information of 83 million JPMorgan Chase & Co. customers in 2014. In 2017, Equifax suffered a massive data breach involving 146 million U.S. customers, but only 19,000 Canadians.

“This is a big one,” said David Masson, Canada manager for the cybersecurity firm Darktrace. “It’s not a hack, but an insider threat, which is one of the most insidious kinds. They’re so dangerous because the person has a pass into the building, a pass into the network, and because they know the organization they have a fantastic book of excuses ready to explain away what they are doing.”

Quebec’s securities regulator, the Autorité des marchés financiers, described the leak as a major incident in a statement but added it “is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members.”

Desjardins chief operating officer Denis Berthiaume said in December that Desjardins alerted Laval police about a suspicious transaction but "nothing at the time pointed to a breach of confidentiality.”

Story continues below advertisement

On May 22, he said, the police informed them that personal information had been leaked. The company beefed up security and supervision and launched its own internal investigation. “It quickly pointed to one employee, a data specialist, who connived to get access to information he should not have had access to, and transferred it to a third party,” he said. The employee was suspended immediately, the data leak stopped and the employee was fired, he said.

The executives said they do not know who received the information and that it is too early to say what the breach will cost the organization. But they reassured affected customers it will cost them nothing.

The leaked data came from 2.7 million personal accounts and 173,000 business accounts. “We’ve seen no increase in fraudulent account activity in recent months,” Mr. Berthiaume said.

Desjardins is offering identity-theft protection and fraud insurance free of charge to members for a year.

With reports from Ingrid Peritz

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter