Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99 per week for the first 24 weeks
Just $1.99 per week for the first 24 weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Desjardins Group did not have appropriate safeguards in place to prevent a “malicious employee” from stealing the information of 9.7 million customers over 26 months, says Canada’s privacy commissioner – which led to the largest data breach in the country’s financial-services sector to date.

The Office of the Privacy Commissioner of Canada, its Quebec counterpart and the province’s financial regulator on Monday published the results of their investigations into the breach, which was first reported in 2019. They found that the Desjardins marketing team had access to a shared directory of client information that should have had more stringent security, allowing a member of that team to transfer “financial and identity profiles” to USB keys from their computer.

The privacy watchdogs found that some of Desjardins’ policies and procedures for managing personal data were “inadequate” – and that it also failed to follow through with some of those procedures in the first place. Training to handle sensitive data was “lacking,” the investigators found, and the company hadn’t put proper procedures in place to manage the destruction of personal data.

Story continues below advertisement

Federal Privacy Commissioner Daniel Therrien told a virtual news conference Monday that it was “unacceptable” that Desjardins didn’t have systems in place to monitor for this kind of employee-led breach. But even though the privacy investigation found that Desjardins did not meet its obligations under the Personal Information Protection and Electronic Documents Act, or PIPEDA, the credit union will face no federal financial penalty.

While PIPEDA does allow for fines of up to $100,000 for companies that don’t properly report data breaches, Desjardins followed the required reporting process, Mr. Therrien’s office told The Globe and Mail. Ottawa has promised new legislation that better empowers the privacy commissioner and carries fines for data breaches as high as $25-million or 5 per cent of a company’s global revenue – whichever is greater – but it was only introduced in November and is now winding its way through Parliament.

“PIPEDA has been lacking for years; it has no teeth,” said Ann Cavoukian, the former Ontario privacy commissioner whose privacy framework, Privacy by Design, is used the world over. That the federal commissioner can’t impose fines in this kind of situation, she said, is “appalling.” “… If the commissioner finds someone has broken the law, what recourse does he have? Nothing.”

Without commenting directly on how the coming legislation could have changed the result of this investigation, Mr. Therrien said its proposed fines for companies who do not safeguard their data would be “a good thing.”

“One of the most problematic issues that we’ve seen here is that Desjardins knew that it had vulnerabilities,” Mr. Therrien added Monday. “To their credit, they were taking measures to correct those vulnerabilities, but did not do so sufficiently rapidly.”

Quebec’s financial regulator, the Autorité des marchés financiers, said in its own report Monday that it had found Desjardins “had failed to comply with its legal obligation to apply sound and prudent management practices, which increased the odds of such an incident occurring.”

The regulator singled out the credit union’s senior management and board for not putting sufficient controls in place and not “adequately monitoring” plans to implement recommendations of both the regulator and its own internal auditors.

Story continues below advertisement

Desjardins declined to make a spokesperson available for an interview. In a written response to the investigations’ findings, the credit union said it had agreed to recommendations to strengthen its security practices, including creating a retention schedule for destroying personal data after its purpose is no longer necessary.

It must now submit a monthly report to the Quebec regulator to show progress in implementing recommendations.

Desjardins said it would appoint a chief data officer to manage its data practices, and create a security office with a budget of more than $150-million. Last December, the credit union also put together a special board committee to examine its reaction to the privacy breach.

“Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices,” the statement said.

The information breach included names, dates of birth, home and e-mail addresses, phone numbers and social insurance numbers, as well as some account and transaction details.

A month after publicly disclosing the problem, Desjardins announced an identity-protection program that promises direct support for clients throughout the recovery process, five free years of credit monitoring, and reimbursements of up to $50,000 for expenses they might incur through the process. The company declined to disclose the number of claims made or people supported by the program.

Story continues below advertisement

The credit union contested the extent of the data breach as described by the privacy watchdogs, saying that its evidence suggests that only 4.2 million clients with active accounts potentially had their data exposed to a third party. “There is nothing that confirms that the ex-employee shared anyone else’s personal information with third parties,” the statement said.

But the investigators said that more than double that number were part of the breach, including more than four million former account holders, prompting them to highlight the importance of destroying outdated customer information. Some people whose information was exposed hadn’t been a Desjardins client in decades, which Mr. Therrien said he found “startling.”

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow the author of this article:

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies