Desjardins says personal info of 2.9 million members shared illegally by employee

Desjardins President and CEO Guy Cormier leaves a news conference in Montreal on Thursday, June 20, 2019. Paul Chiasson/The Canadian Press

Desjardins Group said Thursday the personal information of more than 2.9 million of its members has been shared with individuals outside of the organization in a “malevolent” act.

The Quebec-based financial institution said the breach affects 2.7 million individual members and 173,000 business members.

It said the situation is the result of unauthorized and illegal use of its internal data by an employee who has since been fired.

Desjardins noted the incident, which affected more than 40 per cent of its members, was not the result of a cyberattack and that its computer systems were not breached.

Desjardins Group chief executive Guy Cormier said the lone suspect “acted illegally, betraying the confidence of Desjardins.”

Story continues below advertisement

“Honestly, this situation right now is totally unacceptable,” Cormier told reporters.

“We regret this situation and are making every effort to ensure that it doesn’t happen again.”

Desjardins said personal members may have had several pieces of information released including their name, date of birth, social insurance number, address, phone number, email address and details about their banking habits.

Passwords, security questions and personal identification numbers were not compromised, the organization said.

Business members had information such as their business name, addresses, telephone numbers and owner names exposed.

Desjardins said it was working with police and has implemented additional security measures.

As a precaution, it said it is also offering to pay for a credit monitoring plan and identity theft insurance for 12 months for affected members.

READ MORE: Foreign hackers targeting Canadian banks and government, cyber-security expert tells MPs

Customers affected financially by the breach will be reimbursed, executives said, but declined to put a number on the potential cost to the organization.

“We’re talking potentially about fraud. But we cannot answer, it’s connected to the investigation that is underway by the police authority,” said operations chief Denis Berthiaume.

Story continues below advertisement

The company has not seen an increase in instances of fraud, Berthiaume added.

Police said the male suspect was detained, but is no longer in custody.

Laval police declined to offer a possible motive for the breach, noting the investigation is ongoing.

No charges have been laid.

“It’s shocking news, because it’s a high volume,” said Mourad Debbabi, research chair in cybersecurity at Concordia University. “That’s sensitive information. You can do a lot with that.”

“When you collect sensitive information, personal information…you have to put in place storage protocols and handling protocols.”

WATCH BELOW: Canada struggling for experts in war against hackers

Click to play video: 'Help wanted: Canada struggling for experts in war against hackers'
Help wanted: Canada struggling for experts in war against hackers

The security breach is among the biggest in Canada to come about internally, as opposed to an external cyberattack, in recent years.

Story continues below advertisement

The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.

In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.

Sponsored content