Desjardins Group did not have appropriate safeguards in place to prevent a “malicious employee” from stealing the information of 9.7 million customers over 26 months, says Canada’s privacy commissioner – which led to the largest data breach in the country’s financial-services sector to date.
The Office of the Privacy Commissioner of Canada, its Quebec counterpart and the province’s financial regulator on Monday published the results of their investigations into the breach, which was first reported in 2019. They found that the Desjardins marketing team had access to a shared directory of client information that should have had more stringent security, allowing a member of that team to transfer “financial and identity profiles” to USB keys from their computer.
The privacy watchdogs found that some of Desjardins’ policies and procedures for managing personal data were “inadequate” – and that it also failed to follow through with some of those procedures in the first place. Training to handle sensitive data was “lacking,” the investigators found, and the company hadn’t put proper procedures in place to manage the destruction of personal data.
Federal Privacy Commissioner Daniel Therrien told a virtual news conference Monday that it was “unacceptable” that Desjardins didn’t have systems in place to monitor for this kind of employee-led breach. But even though the privacy investigation found that Desjardins did not meet its obligations under the Personal Information Protection and Electronic Documents Act, or PIPEDA, the credit union will face no federal financial penalty.
While PIPEDA does allow for fines of up to $100,000 for companies that don’t properly report data breaches, Desjardins followed the required reporting process, Mr. Therrien’s office told The Globe and Mail. Ottawa has promised new legislation that better empowers the privacy commissioner and carries fines for data breaches as high as $25-million or 5 per cent of a company’s global revenue – whichever is greater – but it was only introduced in November and is now winding its way through Parliament.
“PIPEDA has been lacking for years; it has no teeth,” said Ann Cavoukian, the former Ontario privacy commissioner whose privacy framework, Privacy by Design, is used the world over. That the federal commissioner can’t impose fines in this kind of situation, she said, is “appalling.” “… If the commissioner finds someone has broken the law, what recourse does he have? Nothing.”
Without commenting directly on how the coming legislation could have changed the result of this investigation, Mr. Therrien said its proposed fines for companies who do not safeguard their data would be “a good thing.”
“One of the most problematic issues that we’ve seen here is that Desjardins knew that it had vulnerabilities,” Mr. Therrien added Monday. “To their credit, they were taking measures to correct those vulnerabilities, but did not do so sufficiently rapidly.”
Quebec’s financial regulator, the Autorité des marchés financiers, said in its own report Monday that it had found Desjardins “had failed to comply with its legal obligation to apply sound and prudent management practices, which increased the odds of such an incident occurring.”
The regulator singled out the credit union’s senior management and board for not putting sufficient controls in place and not “adequately monitoring” plans to implement recommendations of both the regulator and its own internal auditors.
Desjardins declined to make a spokesperson available for an interview. In a written response to the investigations’ findings, the credit union said it had agreed to recommendations to strengthen its security practices, including creating a retention schedule for destroying personal data after its purpose is no longer necessary.
It must now submit a monthly report to the Quebec regulator to show progress in implementing recommendations.
Desjardins said it would appoint a chief data officer to manage its data practices, and create a security office with a budget of more than $150-million. Last December, the credit union also put together a special board committee to examine its reaction to the privacy breach.
“Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices,” the statement said.
The information breach included names, dates of birth, home and e-mail addresses, phone numbers and social insurance numbers, as well as some account and transaction details.
A month after publicly disclosing the problem, Desjardins announced an identity-protection program that promises direct support for clients throughout the recovery process, five free years of credit monitoring, and reimbursements of up to $50,000 for expenses they might incur through the process. The company declined to disclose the number of claims made or people supported by the program.
The credit union contested the extent of the data breach as described by the privacy watchdogs, saying that its evidence suggests that only 4.2 million clients with active accounts potentially had their data exposed to a third party. “There is nothing that confirms that the ex-employee shared anyone else’s personal information with third parties,” the statement said.
But the investigators said that more than double that number were part of the breach, including more than four million former account holders, prompting them to highlight the importance of destroying outdated customer information. Some people whose information was exposed hadn’t been a Desjardins client in decades, which Mr. Therrien said he found “startling.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.