Personal data of 2.7 million people leaked from Desjardins

An employee with "ill-intention" at Desjardins Group collected information about nearly three million people and businesses and shared it with others outside the Quebec-based financial institution, officials revealed Thursday.

The data breach affects around 2.7 million people and 173,000 businesses, more than 40 per cent of the co-operative's clients and members. Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.

However, Desjardins said, passwords, security questions and personal identification numbers were not compromised.

Desjardins CEO and president Guy Cormier said the security breach was not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.

That employee has been fired. He was arrested by Laval police but has not yet been charged. Cormier said he felt "betrayed" by the former employee's actions.

"I won't say all the words that I have in mind at the moment, because I know I'm in front of television cameras," Cormier said at a news conference in Montreal.

The breach looks to be one of the largest ever among Canadian financial institutions, according to one cybersecurity expert and author.

"This is certainly a historic event," said Claudiu Popa, who heads the data security firm Datarisk Canada.

Suspicious transaction

It took several months for Desjardins to learn the scope of the data-gathering scheme, after it referred a suspicious transaction to Laval police, amid routine monitoring, in December 2018.

In May, police told Desjardins that the personal information of some its members had been leaked.

An internal investigation was conducted with the help of Laval police, Desjardins' chief operating officer, Denis Berthiaume, said Thursday.

That investigation identified the employee. He was suspended and his access to Desjardins information systems was frozen.

"The transfer of information ceased when he was suspended," Berthiaume said.

In the meantime, Laval police continued to investigate and, on Friday, informed Desjardins of the scope of the data breach and the identities of those affected.

Cormier defended the security procedures that were in place when the breach occurred.

"There is no one at Desjardins who can turn on their computer in the morning and get access to the information of all our members," said Cormier. "We're a lot more secure than that."

The suspected employee created a scheme to win the trust of his colleagues, he said. The employee allegedly used their access, and his own, to assemble the data trove.

"Internal fraud is the fraud that is the most difficult, the most complex to detect," Cormier added.

A spokesperson for Laval police refused to give details about the investigation, or the suspect, in order to protect the ongoing investigation. Desjardins said the employee, a male, worked in the data department.

Promises to reimburse

Quebec's regulator of financial institutions, the Autorités des marchés financiers (AMF), described the situation as "very serious" but said it is "satisfied with the actions" taken so far by Desjardins Group.

"The institution's officers have handled the situation with due rigour, transparency and speed," AMF said in a news release.

The Desjardins Group said additional security measures have been put in place to protect data, and it will be contacting every member affected by the leak individually.

Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.

"I want to be really clear," said Cormier. "Our members will be reimbursed [for any losses they incur.] There will be no cost to our members."

Desjardins Group's chief operating officer, Denis Berthiaume, said he cannot yet put a dollar figure on the financial loss to the co-operative.

There has not been, he said, a noticeable increase in reported fraud compared to last year, suggesting the damage may be limited.

"It's one thing to have that information; it's another thing to use it fraudulently," Berthiaume said. "We're telling our members to be vigilant about the activity in their accounts."

If members notice any unusual activity, they're asked to notify the co-op. Desjardins has also set up a website for affected members and businesses.