A series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest to date in the Canadian financial services sector, the federal privacy watchdog has found.
Privacy commissioner Daniel Therrien said Monday that Desjardins did not demonstrate the level of attention needed to protect the sensitive personal information entrusted to its care.
The incident compromised the data of nearly 9.7 million Canadians.
“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference..
“We recognize that’s easier said than done for a financial institution given the amount of personal data it owns and the level of complexity of its systems. However, an organization such as Desjardins has the means to comply with the law.”
For at least 26 months, a rogue employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.
For some, the data included first and last names, dates of birth, social insurance numbers, street addresses, telephone numbers, email addresses and transaction histories.
“Such data elements can be considered sensitive on their own,” the report said. “When combined, they can also be exploited by malicious individuals to steal the identities of the persons concerned.”
This information was originally stored in two data warehouses to which the employee in question had limited access, the commissioner said.
However, other employees, in the course of their work, would regularly copy that information onto a shared computer drive. As a result, employees who would not usually have the required clearance or need to access some of the confidential data were able to do so, Therrien found.
Desjardins had recognized some of the security weaknesses that ultimately led to the breach and had developed a plan to remedy them, but did not put it in place in time to prevent what happened, Therrien noted.
The breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by police, he added.
The commissioner said his investigation sheds light on the risks posed by internal threats, whether they are intentional or not.
The probe revealed that Desjardins failed to meet several of its obligations under the federal privacy law governing companies. Therrien found:
- Desjardins did not ensure proper implementation of its policies and procedures for managing personal information, some of which were inadequate;
- The access controls and data segregation of the company’s databases and directories were lacking;
- Employee training and awareness were inadequate, considering the sensitive nature of the personal information;
- Desjardins did not have proper procedures regarding the periodic destruction of personal information.
Desjardins agreed to recommendations to improve information security and the protection of personal data, Therrien said.
The company has committed to provide progress reports every six months as well as hire external auditors to assess and certify its programs.
“Ultimately, we are satisfied with the overall mitigation scheme that Desjardins is providing to affected individuals, which goes beyond what we have seen from other organizations,” Therrien said.
In a statement, Desjardins said its investigation suggests 4.2 million people who had active accounts might have had their data disclosed; not the 9.7 million that includes people with inactive accounts as well.
But the institution said it has tightened controls. Desjardins created a 900-person security office with a budget starting at $150 million in 2019 and it’s to expand its data-protection capabilities substantially in 2021.
“Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices,” the statement said.
“Over the next few years, Desjardins will continue to work with other partners to create a digital identity platform for Canadians. This will allow information to be shared more securely and give people more control over their own information.”
Therrien’s office and the Commission d’accés à l’information du Québec, which also published a report Monday on the breach, agreed last year to co-ordinate their respective probes.
Diane Poitras, head of the Quebec commission, said the consequences of the lapse, the largest to occur in the province, “should convince any organization to implement all appropriate measures to prevent this type of incident from happening, something Desjardins failed to do.”