Desjardins Group suffers massive data breach of 2.9 million members by rogue employee


A rogue employee of Desjardins Group has leaked personal information of 2.9 million members of the financial services co-operative, but executives tried to reach customers Thursday that their money is safe.

The personal information included names, birth dates, social insurance numbers and e-mail, telephone and home addresses, according to Desjardins Group chief executive Guy Cormier. Account access information such as passwords, identification numbers and identity confirmation questions were not leaked, he stressed. He also emphasized the breach was not the result of a cyberattack or other external theft.

"That a member of our organization decided to betray our members … I can't say all the words that come to mind. I’m indignant. It’s totally unacceptable, ”Mr. Cormier said.

Story continues below advertisement

Mr. Cormier said suspicious transaction led credit union late 2018, but the extent of the information breach started to become clear only last week. The company has fired the responsible employee, he said.

Sergeant François Dumet of the Laval police investigators arrested one man and charges will be forthcoming. He refused to say whether others are under investigation. "I can tell you this is a criminal infraction," he said. "But we can't give you too many details with the investigation still under way."

The data breach is among the largest known leaks in the Canadian financial services sector, but reporting requirements have been uneven historically. Canada passed regulations requiring disclosure only in 2018. That year, the Bank of Montreal and Simplii Financial bank online suffered data breaches involving 90,000 total customers.

In the United States, hackers accessed the information of 83 million JPMorgan Chase & Co. customers in 2014. In 2017, Equifax suffered a massive data breach involving 146 million U.S. customers, but only 19,000 Canadians.

"This is a big one," said David Masson, manager of the Darktrace cybersecurity firm. "It 's not a hack, but an insider threat, which is one of the most insidious kinds. They are dangerous because they have to go into the building, to get into the network, and because they know how to organize a fantastic book of excuses ready to explain away what they are doing. "

Quebec’s securities regulator, the Autorité des marchés financiers, described as a major incident in a statement but added it “is satisfied with the actions taken by dates

Desjardins chief operating officer Denis Berthiaume said in December that Desjardins alerted Laval police about suspicious transaction but "nothing at all

Story continues below advertisement

On May 22, he said, the police informed them that personal information had been leaked. The company beefed up security and supervision and launched its own internal investigation. "He quickly pointed to an employee, a data specialist, who connived to get access to information, and he had to go to a third party," he said. He said, "The employee was suspended immediately, the data was stopped and the employee was fired."

The executives said they received the information and that is too early to say what the breach will cost the organization. But they reassured affected customers it will cost them nothing.

The leaked data came from 2.7 million personal accounts and 173,000 business accounts. "We've seen no increase in fraudulent activity accounts in recent months," Mr. Berthiaume said.

Desjardins is offering identity-theft protection and fraud insurance free of charge to members for a year.

With reports from Ingrid Peritz

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.