An employee of Desjardins Group collected information of about three million people and businesses and shared it outside the Quebec-based financial institution, officials revealed Thursday, 20th June, 2019.
The data breach affected 2.7 million people and 173,000 businesses, which amount to more than 40 per cent of the co-operative’s clients and members. Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.
The leaked information includes:
- birth dates,
- social insurance numbers,
- email addresses
- and information about transaction habits.
However, Desjardins said, passwords, security questions and personal identification numbers were not compromised.
An internal investigation was conducted with the help of Laval police, the employee was identified. He was suspended and his access to Desjardins information systems was frozen. The suspected employee created a scheme to win the trust of his colleagues, he said. The employee allegedly used their access, and his own, to assemble the data trove.
That employee has been fired and arrested by Laval police but has not yet been charged. Guy Cormier said he felt “betrayed” by the former employee’s actions.
The breach looks to be one of the largest ever among Canadian financial institutions, according to one cybersecurity expert and author. “This is certainly a historic event,” said Claudiu Popa, who heads the data security firm Datarisk Canada.
It took several months for Desjardins to learn the scope of the data-gathering scheme, after it referred a suspicious transaction to Laval police, amid routine monitoring, in December 2018. In May, police told Desjardins that the personal information of some its members had been leaked.
Going forward, the credit union will offer free, permanent data protection to all its members. Anyone whose data was affected will receive Equifax 5 years credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.
The coy has not yet put a dollar figure on the financial loss to the co-operative.”I want to be really clear,” said Cormier. “Our members will be reimbursed for any losses they incur. There will be no cost to our members.”
If members notice any unusual activity, they’re asked to notify the co-op. Desjardins has also set up a website for affected members and businesses.
Today, the members of parliament in Ottawa has reconvene to find ways to mitigate the risk of affected Desjardins customers and to find solutions to this kind of breaches in the future.