A rogue employee of Desjardins Group has leaked the personal information of 2.9 million members of the financial services co-operative, but executives tried to reassure customers Thursday that their money is safe.
The personal information included names, birth dates, social insurance numbers and e-mail, telephone and home addresses, according to Desjardins Group chief executive Guy Cormier. Account access information such as passwords, personal identification numbers and identity-confirmation questions were not leaked, he stressed. He also emphasized the breach was not the result of a cyberattack or other external theft.
“That a member of our organization decided to betray our members … I can’t say all the words that come to mind. I’m indignant. It’s totally unacceptable,” Mr. Cormier said.
A suspicious transaction led credit union officials to call the police in late 2018, but the extent of the information breach started to become clear only last week, Mr. Cormier said. The company has fired the responsible employee, he said.
Sergeant François Dumet of the Laval police said investigators arrested one man and charges will be forthcoming. He refused to say whether others are under investigation. “I can tell you this is a criminal infraction,” he said. “But we can’t give you too many details with the investigation still under way.”
The data breach is among the largest known leaks in the Canadian financial services sector, but reporting requirements have been uneven historically. Canada passed regulations requiring disclosure only in 2018. That year, the Bank of Montreal and online bank Simplii Financial suffered data breaches involving 90,000 customers total.
In the United States, hackers accessed the information of 83 million JPMorgan Chase & Co. customers in 2014. In 2017, Equifax suffered a massive data breach involving 146 million U.S. customers, but only 19,000 Canadians.
“This is a big one,” said David Masson, Canada manager for the cybersecurity firm Darktrace. “It’s not a hack, but an insider threat, which is one of the most insidious kinds. They’re so dangerous because the person has a pass into the building, a pass into the network, and because they know the organization they have a fantastic book of excuses ready to explain away what they are doing.”
Quebec’s securities regulator, the Autorité des marchés financiers, described the leak as a major incident in a statement but added it “is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members.”
Desjardins chief operating officer Denis Berthiaume said in December that Desjardins alerted Laval police about a suspicious transaction but "nothing at the time pointed to a breach of confidentiality.”
On May 22, he said, the police informed them that personal information had been leaked. The company beefed up security and supervision and launched its own internal investigation. “It quickly pointed to one employee, a data specialist, who connived to get access to information he should not have had access to, and transferred it to a third party,” he said. The employee was suspended immediately, the data leak stopped and the employee was fired, he said.
The executives said they do not know who received the information and that it is too early to say what the breach will cost the organization. But they reassured affected customers it will cost them nothing.
The leaked data came from 2.7 million personal accounts and 173,000 business accounts. “We’ve seen no increase in fraudulent account activity in recent months,” Mr. Berthiaume said.
Desjardins is offering identity-theft protection and fraud insurance free of charge to members for a year.
With reports from Ingrid Peritz
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.