A man wanted by Quebec provincial police in connection with the massive Desjardins data breach that affected nearly 10 million clients has been arrested in Spain after evading authorities for more than a year.
The Sûreté du Québec (SQ) said Tuesday that Juan Pablo Serrano, 40, was arrested by Spanish authorities on Nov. 6, 2025, following a joint operation involving police in Spain, Interpol, and the SQ.
Serrano had been sought since June 2024 by the SQ’s financial crime and cybercrime units for theft and resale of personal information belonging to the 9.7 million clients of Desjardins Group, one of Canada’s largest financial institutions.
Police allege Serrano purchased the stolen data from a former Desjardins employee and used it for various fraud schemes.
“This wasn’t a hack like most people think — it was an insider threat, which meant this person had way too much access,” cybersecurity expert Terry Cutler told Global News on Tuesday.
Interpol had issued a Red Notice — a request to police worldwide to help find and temporarily detain a person pending extradition or surrender — for Serrano to help locate him internationally.
Get daily National news
Quebec police say he was considered one of the province’s most-wanted fugitives.
Authorities say Serrano will remain in custody in Spain while extradition proceedings are initiated to return him to Canada.
Once back in the country, he is expected to face multiple charges including identity theft, trafficking in identity information, and fraud over $5,000.
The SQ credited Spanish authorities, Interpol and several national and international partners for the arrest, including the U.S. Secret Service Ottawa Field Office and its Madrid Resident Office, “whose contributions were instrumental to the success of this operation,” the SQ said in a release.
The Desjardins data breach, first uncovered in 2019, exposed the personal information of millions of clients and has been described as one of the largest privacy breaches in Canadian history.
The breach occurred over more than a two-year period before the financial institution became aware of it.
Multiple arrests made, scathing privacy findings in Desjardins case
Five other suspects were arrested back in June 2024 in connection with the case, including the alleged architect of the scheme, Sébastien Boulanger-Dorval, 42, who worked in the marketing department until 2019.
The four others were Jean-Loup Masse-Leullier, 32, François Baillargeon-Bouchard, 35, Laurence Bernier, 29, and Charles Bernier, 31.
At the time, police said arrest warrants had been issued for three others allegedly involved in the fraud scheme: Mathieu Joncas, 38, Maxime Paquette, 38, and Serrano.
Authorities said three others were arrested between September 2018 and January 2019: Ayoub Kourdal, 36, Imad Jbara, 33, and an unnamed third person.
The ages of the suspects were provided by police in 2024.
The Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec published scathing reports in 2020 that concluded Desjardins failed to show the level of attention required to protect its customers’ data.
The report said Desjardins notified the federal office on May 27, 2019, about a breach involving close to 9.7 million individuals in Canada and internationally.
It found that Desjardins had been aware of the security weaknesses that led to the breach, but failed to address them in time.
–with files from The Canadian Press
-
![]()
The ‘Tea’ app data leak exposes more than 72,000 user images -
![]()
Massive data breach leaks 16 billion passwords -
![]()
British data leak: Defence secretary says ‘highly unlikely’ exposed Afghans at risk from Taliban -
![]()
Business Matters: Canada’s privacy commissioner launches investigation into Ticketmaster breach -
![]()
Ticketmaster hacked: Canadians’ data likely among leaked information -
![]()
Staying protected online in wake of ‘supermassive’ data breach
Comments