Montreal-area police announced Wednesday that they have arrested three people in connection with a major data theft and $8.9-million fraud involving the co-operative financial group Desjardins, some five years after the alleged crime.
Police in Laval, Que., said one of the suspects was caught with a list of personal data for 1.6 million Quebecers.
The arrests are tied to a 2019 data theft, described as the largest ever in the Canadian financial services sector, that targeted more than 9.7 million Desjardins clients in Canada and internationally, including almost seven million Quebecers.
Laval police deputy director of criminal organizations Jean-François Rousselle said the suspects were allegedly able to use the stolen personal information to get access to the clients’ accounts through the bank’s online banking platform, Accès D.
“These individuals used the data stolen from Desjardins in order to facilitate the conduct of their operations and to disperse funds in Canada, the United States, but also throughout the world,” Rousselle said.
“The main method of operation was to obtain, via the Accès D service, a temporary password using the users’ personal information that they had in their possession, to then proceed with transactions made directly from bank accounts via the web platform.”
Police said the three suspects used the stolen data to commit fraud totalling $8.9 million between September 2018 and January 2019.
Thirty-six-year-old Ayoub Kourdal, and 33-year-old Imad Jbara were scheduled to appear in court Wednesday, while a court date for the third suspect has not been set. They face charges of fraud over $5,000, trafficking in identity information, possession of identity information, and identity theft.
Police said they are searching for a fourth person in connection with the fraud and data theft.
Rousselle said the investigation was one of the most complex in the force’s history and involved the help of the Quebec provincial police and prosecutors.
It led to raids in Montreal, Laval and St-Augustin-de-Desmaures in 2019 that resulted in the seizure of a large amount of data and 70 pieces of computers and equipment containing thousands of documents and files.
The Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec published scathing reports in 2020 that concluded Desjardins failed to show the level of attention required to protect its customers’ data.
The OPC report found that Desjardins had been aware of the security weaknesses that led to the breach, but failed to address them in time. The breach occurred “over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police,” it found.
The leak was blamed on an employee of the marketing team who was able to access confidential information, despite not having the clearance level to do so, because other employees would copy the information onto a shared drive.