Desjardins Group, the largest financial co-operative in North America, said an “ill-intentioned” employee illegally exposed the personal information of some 2.9 million credit union members in one of Canada’s largest data leaks.
Laval police alerted the Quebec-based institution on June 14 with information confirming that personal details from 2.7 million individual clients and 173,000 business members had been shared outside the firm, Desjardins said Thursday in a statement. The company described the situation as the outcome of “unauthorized and illegal use” of internal data by an employee who has since been fired.
“For Desjardins, it’s one in a lifetime,” Chief Operating Officer Denis Berthiaume said in a phone interview. “We’ll make every effort so that this will be the last one.”
When should companies disclose security breaches?
The disclosure was the result of a months-long police investigation precipitated when the lender spotted a suspicious transaction in late 2018 and contacted authorities, according to Berthiaume. By late May, police told Desjardins that information from “a small number” of members had been leaked.
Desjardins tightened security and did its own investigation to identify the leak, identifying one employee who acted illegally. The police probe ultimately identified an even larger number of people affected.
“Our inquiry now is finished and it’s very clear in our minds that the individual acted alone,” Berthiaume said. “We were really quick to identify him. We suspended him, we stopped his data access and a few days later we fired him.”
The information affected included names, birthdates, social insurance numbers, email addresses, phone numbers, street addresses and details on banking habits. Passwords, security questions and personal identification numbers weren’t compromised, and the incident was not a “cyberattack,” the financial co-operative said. Berthiaume said it involved mostly Quebec clients and its banking operations.
The lapse appears to be one of the largest in Canada. In May 2018, Canadian Imperial Bank of Commerce alerted clients that “fraudsters” claimed to have electronically breached personal and financial information from about 40,000 accounts from its Simplii Financial online banking business. Bank of Montreal was also affected in an attack it believed came from outside the country, affecting less than 50,000 clients.
National Bank of Canada said a website glitch may have exposed the personal information of about 400 customers in September 2017 due to human error in setting up an electronic form on the Montreal-based lender’s website.
Credit rating firm Equifax Inc. disclosed that intruders got access to personal information of 19,000 Canadians in a 2017 data breach that affected more than 143 million U.S. customers.
Data breaches aren’t just the purview of financial firms. Air Canada locked accounts of clients using the airline’s mobile app last August after detecting unusual login behavior. Goldcorp Inc. was hit by hackers in 2016 as part of an attempt to extort money from the gold company. A year earlier, hackers exposed the names of more than 37 million anonymous users at the Canadian-based adultery website AshleyMadison.com run by Avid Life Media Inc.