Data Breach Hits Desjardins, 2.7 Million People Affected

A data breach that hit the Desjardins Group has affected around 2.7 million people.

Reports say that more than 40 percent of clients and members of the Quebec-based credit union Desjardins have been affected by a recent data breach.

A Facebook update by the Desjardins Group says that on June 14, 2019, the co-operative was contacted by the Laval police with information confirming the breach of personal information of 2.9 million members.

In a message to its members, the Desjardins Group says, “A Laval police investigation, which Desjardins has been closely involved with, has revealed that the personal information of 2.9 million members (2.7 million personal members and 173,000 business members) was disclosed to individuals outside Desjardins without authorization.”

It has been found that an employee, who has now been fired, was behind the breach. The official statement reads, “The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired.”
In the wake of the incident, the Desjardins Group has adopted additional security measures to ensure that all personal and financial data belonging to members remain protected.

Reports say that leaked data includes names, addresses, dates of birth, email addresses, social insurance numbers and information about transaction habits. It is also clarified that passwords, security questions and PINs were not compromised.

It’s reported that the employee who was behind the leak has been arrested by the police, but not yet charged. Reports even say that according to some experts, the Desjardins data breach looks to be one of the largest ever among breaches impacting Canadian financial institutions.

It was in December 2018 that Desjardins referred a suspicious transaction to Laval police. Later, in May 2019, police informed Desjardins that personal data belonging to some of its members had been leaked. An internal investigation was conducted with the help of the Laval police and the investigation helped identify the employee. The person was suspended and his access to the Desjardins Group’s information systems was frozen. Desjardins’ chief operating officer, Denis Berthiaume has stated that when the employee was suspended, the transfer of information also stopped. The Laval police continued with the investigation and later informed Desjardins of the scope of the breach and also shared the identities of those affected by the breach.

Desjardins CEO and president Guy Cormier has clarified that security procedures were all in place when the data breach occurred and the breach, which was a cause of internal fraud, occurred with the suspected employee winning the trust of his colleagues and using their access, plus his own, to assemble the data trove. He has reportedly clarified that otherwise a single employee cannot just turn on a system and get access to all information pertaining to members. Though details about the investigation or the identity of the suspect hasn’t been divulged, it’s reported that the suspect is a male who worked in the data department.

The Desjardins Group has stated that in addition to notifying authorities, additional monitoring and security measures have also been introduced to protect personal and financial information of its members. Procedures have also been enhanced to confirm members’ identity when they call Desjardins. Every member who has been affected will be contacted individually. Those who have been affected will receive a free 12-month credit monitoring plan, paid for by Desjardins. This service would include access to daily credit reports, alerts of any changes and identity theft insurance. It has been clarified that losses, if any, would be reimbursed for the members.

The Desjardins Group has asked members to be vigilant about activities happening in their accounts and notify the co-operative in case they notice anything unusual.

The Desjardins Group is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

Related Resources:

The Top 10 Worst Data Breaches of all Time

Ways to Prevent Healthcare Data Breaches