Personal data of 2.7 million people leaked from Desjardins

An employee with "ill-intention" atDesjardins Groupcollected information about nearly threemillion people and businessesand shared it with others outside the Quebec-based financial institution, officialsrevealedThursday.

The data breach affects around 2.7 million people and173,000 businesses,more than 40per cent of the co-operative's clients and members.Desjardinsis the largest federation of credit unions in North America, with outlets across Quebec and Ontario.

The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses andinformation about transaction habits.

However, Desjardins said, passwords, security questions and personal identificationnumbers were not compromised.

DesjardinsCEO and presidentGuy Cormier said the security breach was not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.

That employee has been fired. He was arrested by Laval policebut has not yet been charged. Cormier said he felt "betrayed" by the former employee's actions.

"I won't sayall the words that I have in mind at the moment, because I know I'm in front of television cameras," Cormier said at a news conference in Montreal.

The breach looks to be one of the largest ever among Canadian financial institutions, according to one cybersecurity expert and author.

"This is certainly a historic event," saidClaudiu Popa, who heads the data security firm Datarisk Canada.

Suspicious transaction

It took several months forDesjardinsto learn the scope of the data-gathering scheme, after itreferred a suspicious transaction to Laval police, amid routine monitoring, in December 2018.

In May, police told Desjardinsthat the personal information of some itsmembers had been leaked.

An internal investigation was conducted with the help of Laval police, Desjardins' chief operating officer,Denis Berthiaume, said Thursday.

That investigation identified theemployee. He was suspended and his access to Desjardinsinformation systems was frozen.

"The transfer of information ceased when he was suspended,"Berthiaumesaid.

In the meantime, Laval police continued to investigate and, on Friday,informed Desjardinsof the scope of the data breachand the identities of those affected.

Cormier defended the security procedures that were in place when the breach occurred.

"There is no one at Desjardins who can turn on their computer in the morning and get access to the information of all our members," said Cormier. "We're a lot more secure than that."

The suspected employee created a scheme to win the trust of his colleagues, he said. The employee allegedly used their access, and his own, to assemble the data trove.

"Internal fraud is the fraud that is the most difficult, the most complexto detect," Cormier added.

A spokesperson for Laval police refused to give details about the investigation, or the suspect, in order to protect theongoing investigation. Desjardins said the employee, a male, worked in the data department.

Promises to reimburse

Quebec's regulator of financial institutions, the Autorits des marchs financiers (AMF), described the situation as "very serious" but said it is "satisfied with the actions" taken sofar by Desjardins Group.

"The institution's officers have handled the situation with due rigour, transparency and speed," AMF said in a news release.

The Desjardins Group said additionalsecurity measures have been put in place to protect data, and it will be contacting every member affected by the leak individually.

Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.

"I want to be really clear," said Cormier. "Our members will be reimbursed [for any losses they incur.] There will be no cost to our members."

Desjardins Group's chief operating officer, Denis Berthiaume, said he cannot yet put a dollar figure on the financial loss to the co-operative.

There has not been, he said, a noticeable increase in reportedfraud compared to last year, suggesting the damage may be limited.

"It's one thing to have that information; it's another thing to use it fraudulently,"Berthiaumesaid. "We're telling our members to be vigilant about the activity in their accounts."

If members notice any unusual activity, they're asked to notify the co-op. Desjardins has also set up a website for affected members and businesses.