It was learned on June 20th that an employee at Desjardins Group had improperly collected information about customers and shared it with a third party outside the financial institution. The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. Passwords, security questions and personal identification numbers weren't compromised, according to Desjardins. Business members had information such as their business name, addresses, telephone numbers and owner names exposed.
The employee who leaked the information has not been publicly identified. He was promptly fired and was arrested by Laval police, but no charges have been laid yet. An investigation is still ongoing.
The Desjardins website lists what they have done in response to the breach, including contacting the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec and the Autorité des marchés financiers. They have enhanced their procedures to confirm identities when customers call, actively monitoring accounts for fraudulent activities, and will continue to work with the police and privacy experts. Desjardins has also offered to pay for a credit monitoring plan and identity theft insurance for affected members up to five years.
This security breach is among the biggest in Canada to come about internally, as opposed to an external cyberattack, in recent years. Though the investigation continues, no one knows what was done with the information, or who it might have been sold to. “With almost three million individuals and businesses affected, whoever he sold it do or disclosed it to…if that took place…that is a treasure trove to potentially make false refund claims on HST or income tax returns or even insurance,” said Denis Meunier, former deputy director of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
In addition to credit monitoring, Desjardins may also be on the hook for more, as two class action lawsuits were filled in Quebec on Friday. It remains to be seen if more suits follow, or if any fines will be imposed. It’s worth remembering, a rogue employee can be as costly as an outsider. It remains to be seen what protocols Desjardins had in place prior to the breach, and what they will implement going forward to prevent this from happening again.