Personal data of 2.7 million people leaked from Desjardins
An employee with "ill-intention" at Desjardins Group collected information about nearly three million people and businesses and shared it with others outside the Quebec-based financial institution, officials revealed Thursday.
The data breach affects around 2.7 million people and 173,000 businesses, more than 40 per cent of the co-operative's clients and members. Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.
The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.
However, Desjardins said, passwords, security questions and personal identification numbers were not compromised.
Desjardins CEO and president Guy Cormier said the security breach was not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.
That employee has been fired. He was arrested by Laval police but has not yet been charged. Cormier said he felt "betrayed" by the former employee's actions.
"I won't say all the words that I have in mind at the moment, because I know I'm in front of television cameras," Cormier said at a news conference in Montreal.
Cormier, right, and chief operating officer Denis Berthiaume took questions about the data breach on Thursday. (Paul Chiasson/Canadian Press)
The breach looks to be one of the largest ever among Canadian financial institutions, according to one cybersecurity expert and author.
"This is certainly a historic event," said Claudiu Popa, who heads the data security firm Datarisk Canada.
Suspicious transaction
It took several months for Desjardins to learn the scope of the data-gathering scheme, after it referred a suspicious transaction to Laval police, amid routine monitoring, in December 2018.
In May, police told Desjardins that the personal information of some its members had been leaked.
An internal investigation was conducted with the help of Laval police, Desjardins' chief operating officer, Denis Berthiaume, said Thursday.
That investigation identified the employee. He was suspended and his access to Desjardins information systems was frozen.
"The transfer of information ceased when he was suspended," Berthiaume said.
In the meantime, Laval police continued to investigate and, on Friday, informed Desjardins of the scope of the data breach and the identities of those affected.
Laval police inspector Francois Dumais said a Desjardins employee has been arrested in connection with the data breach, but has not yet been charged. (Paul Chiasson/Canadian Press)
Cormier defended the security procedures that were in place when the breach occurred.
"There is no one at Desjardins who can turn on their computer in the morning and get access to the information of all our members," said Cormier. "We're a lot more secure than that."
The suspected employee created a scheme to win the trust of his colleagues, he said. The employee allegedly used their access, and his own, to assemble the data trove.
"Internal fraud is the fraud that is the most difficult, the most complex to detect," Cormier added.
A spokesperson for Laval police refused to give details about the investigation, or the suspect, in order to protect the ongoing investigation. Desjardins said the employee, a male, worked in the data department.