MONTREAL–A former employee described as acting with “ill intention” allegedly contributed to a data breach affecting 2.7 million people who are part of Desjardin credit unions in Quebec and Ontario.
The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. However, Desjardins representatives said passwords, security questions and personal identification numbers were not compromised, according to the Canadian Broadcasting Corp. (CBC). Approximately 40% of the cooperatives’ members were impacted, CBC said.
During a press conference here, Desjardins CEO and President Guy Cormier said the security breach was not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information. That employee has been fired and now has been arrested, but has not yet been charged, according to CBC. Cormier said he felt "betrayed" by the former employee's actions.
"I won't say all the words that I have in mind at the moment, because I know I'm in front of television cameras," Cormier was quoted as saying by CBC during the press conference.
The breach is considered to be one of the largest ever among Canadian financial institutions.
Several Months of Investigation
According to Desjardins, it took several months to uncover the full scope of the data-gathering scheme after it was referred to Laval police, beginning in December 2018. December 2018. In May, police told Desjardins that the personal information of some its members had been leaked, CBC reported.
With the help of police, an internal investigation was conducted, according to Desjardins' chief operating officer, Denis Berthiaume. That investigation identified the employee, who was suspended and his access to Desjardins information systems was frozen, CBC said.
"The transfer of information ceased when he was suspended," Berthiaume said.
Police have now informed Desjardins of the scope of the data breach and the identities of those affected.
Security Procedures Defended
Cormier defended the security procedures that were in place when the breach occurred, CBC said. “There is no one at Desjardins who can turn on their computer in the morning and get access to the information of all our members," Cormier said during the press conference. "We're a lot more secure than that."
The suspected employee created a scheme to win the trust of his colleagues, he said, and then allegedly used their access, and his own, to assemble the data trove, according to the report.
"Internal fraud is the fraud that is the most difficult, the most complex to detect," Cormier added.
The Desjardins Group said additional security measures have been put in place to protect data, and it will be contacting every member affected by the leak individually. Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.