So much for Guy Cormier’s summer holidays.
The chief executive officer of Desjardins Group has spent the past month dealing with the fallout from a massive data leak affecting almost three million of the Quebec-based financial co-operative’s customers. And he will likely spend several more weeks doing damage control.
Since Desjardins revealed the data breach on June 20, Mr. Cormier has been on the defensive fending off questions about the giant financial co-op’s data security operations and its response after it was informed by police that personal information on 2.7 million individual clients and 173,000 business customers had been shared outside the organization. Police suspect a rogue employee may have sold the data, which included social insurance numbers, to fraudsters outside Canada via the dark web, according to Le Journal de Montréal.
Quebec’s Access to Information officer and the federal privacy commissioner have launched a joint investigation to determine whether Desjardins was in compliance with provincial and federal laws governing data protection. And worried customers have been a fixture on the nightly news in Quebec, where Desjardins remains a dominant player in retail banking.
Politicians naturally jumped into the fray, forcing Mr. Cormier to appear before a House of Commons committee on Monday. But the hearing did little to assuage concerns that thousands of Desjardins customers risk becoming victims of identity theft. A suggestion by Conservative MPs that Desjardins customers be granted new social insurance numbers was rejected as impracticable, given the government’s inability to cancel existing ones.
There has already been evidence of fraudulent credit cards being taken out using SINs and birth dates of Desjardins customers. Former Desjardins CEO Claude Béland, now 87, revealed that he recently received several notices for unpaid balances on credit cards that he had not signed up for. He questioned whether Desjardins does an adequate job screening employees.
For an institution that has long sought to distinguish itself (in a good way) from the big banks, claiming to be rooted in communities where it does business, the data breach has raised questions about whether the centralization of operations in recent years has been accompanied by internal controls on the use of personal data that used to be managed at the branch level.
Desjardins’ initial response to the data breach fell short when customers who attempted to sign up for credit monitoring and identity-theft insurance with Equifax, which Desjardins offered for free, faced long waits on the phone and spotty service in French. Equifax’s website was also down repeatedly, according to several media reports.
Only 13 per cent of the 2.9 million personal and business customers hit by the data breach had managed to sign up with Equifax by Monday, leading Desjardins to itself extend automatic identity-theft protection to all of its more than four million customers. The coverage includes a maximum of $50,000 for lost salary and notary fees incurred as a result of an identity theft, as well as psychological counselling.
So far, Desjardins claims that it hasn’t witnessed any major exodus of customers. But with the big banks and fintech players aggressively looking for business in Quebec, analysts predict the financial fallout from the data breach could be significant for Desjardins. The financial co-op is well capitalized, however, with a Tier 1 capital ratio in excess of the big banks.
According to a 2018 investor presentation by Desjardins, which raises debt on public markets, the financial co-op holds a 36-per-cent market share in Quebec in residential mortgages, 22 per cent of the consumer credit market and a 20-per-cent market share in commercial loans. Its assets topped $300-billion in the first quarter of 2019, making it one of Canada’s biggest financial institutions – and hence, a prime target for customer raiding by competitors.
Little wonder Mr. Cormier has been omnipresent in recent weeks, appearing almost daily on Quebec television to reassure customers that Desjardins is up to the task of protecting their information and promising to compensate any customers affected by the data breach.
On Monday, however, he warned MPs that Canada remains ill prepared for the 5G-technology era and the massive increase in data circulation that it heralds. He called on Ottawa to set up a task force to advise the government on data protection in future.
For now, however, Mr. Cormier can say goodbye to his summer.