OTTAWA - The current system for identifying Canadians is inadequate for the digital age, the chief executive of Desjardins Group told MPs in an emergency parliamentary committee meeting Monday grappling with the fallout of a major data breach at his financial-services company.
The breach, revealed in June, saw the leak of names, addresses, birthdates, social-insurance numbers and other private information from roughly 2.7 million people and 173,000 businesses.
Desjardins, a Quebec-based co-operative, said a single employee, who has been fired since the breach was detected in December 2018, was responsible. A police investigation into the incident is ongoing.
CEO Guy Cormier said he was “ambivalent” about the committee meeting because he thought it was “premature” to discuss the situation while the investigation is still on. But he said his company is committed to being transparent and working with authorities on the issue.
“We must all learn from what Desjardins has undergone,” Cormier said in French.
Cormier told lawmakers on the House of Commons' public-safety committee that although he could not recommend a particular new regime for identifying people in the digital age, “the status quo is not an option” when it comes to preventing identity theft and protecting private data.
He recommended the government convene a special working group made up of representatives from the government, the financial sector, telecommunications, legal experts and others to determine a new framework for data and privacy in Canada.
That won't likely happen any time soon. John McKay, the Liberal chair of the committee, said the committee has not set any further meetings on the subject and would likely not take it up again this summer. He said he hopes the next version of his committee, formed after the election, would examine what he called a perfect case study of cybersecurity gone wrong.
McKay said he felt as though Desjardins had not been adequately held to account over procedures were in place to stop employees from breaching data protection rules.
“I would have preferred to see questioning be far more pointed,” he said in an interview after the meeting.
“We're here to listen to them, to understand their perspective, and to develop a way forward that is going to be advantageous to all Canadians,” said Alberta Conservative MP Glen Motz prior to the meeting.
Though it bore some responsibility, Desjardins “is also a victim in this,” he said.
During the meeting, Denis Berthiaume, the chief operating officer at Desjardins, said the cybersecurity risk posed by employees was one of the most difficult to manage. But he said the company did have strong security policies and this was a case of an employee violating all those rules and procedures.
Much of the meeting Monday focused on how best to help Canadians cope with the consequences of the breach.
Conservative Leader Andrew Scheer had called for members to look into whether re-issuing social insurance numbers for those affected might help protect them from identity theft and fraud.
But during testimony, a senior official from Service Canada said new insurance numbers would not necessarily stop the fraud, and could result in further errors during the re-issuing process.
Other officials from the RCMP and the Canadian Centre for Cyber Security emphasized that anti-fraud measures started with education and awareness from the public.
Andre Boucher, the associate head of the Centre for Cyber Security, said much of cybersecurity is about a “back to basics” approach.
He added that the “financial sector is one that is very mature” when it comes to data protections, and despite the Desjardins breach Canadians could be “reassured” by that fact.
Earlier in the day, Cormier announced Desjardins would extend protections to all of its clients by protecting and compensating them for fraudulent transactions, giving them access to services to deal with identity theft, and paying related fees if identity theft occurs.
Cormier said 13 per cent of the co-operative's members - more than 360,000 people - had signed up for credit monitoring through Equifax, one measure Desjardins is offering to protect victims of the breach.
He said the company had offered its own protections in order to cover the percentage of clients who were not signed up through Equifax.
In addition to the committee's meeting and police investigation, privacy commissioners in Ottawa and Quebec will be working in tandem to investigate the issue and determine whether Desjardins had adequate data-protection policies in place.