A data breach that caused nearly 9.7 million Canadians’ personal information to be stolen—the largest ever in Canada’s financial services—was due to gaps in administrative and technology safeguards at Desjardins, a privacy watchdog reported.
In an investigative report released on Monday, the Office of the Privacy Commissioner of Canada (OPC) said Desjardins, a financial institution that offers insurance and wealth management services, “did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
The investigation was launched by OPC and Quebec’s Commission de l’accès à l’information (CAI) in July 2019 after Desjardins notified them of the breach in its security safeguards.
“When this incident first came to light in the media, citizens were shocked because we expect financial institutions to be extremely rigorous when it comes to data security,” Privacy Commissioner Daniel Therrien said in a statement on Monday.
For at least 26 months, an ill-intentioned employee had been stealing sensitive personal information of Desjardins customers who had purchased or received products through the company, according to Therrien’s findings. The compromised information included the customers’ first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses, and transaction records.
The information was originally stored in two data warehouses, to which the accused employee, Sébastien Boulanger Dorval, had limited access.
However, he managed to access them after colleagues in the marketing department copied the information, in the course of fulfilling their duties, onto a shared drive that was accessible to all employees in Desjardins.
Dorval would then transfer the information from the shared drive onto his computer and onto his USB keys, a violation to the confidentiality agreement he signed with the company.
According to a report by TVA Nouvelles in October 2019, Dorval is suspected of selling some of the personal information to a private lender. Some of that information was “reportedly then forwarded to a second lender, who was also a mortgage broker, and his partner, an investment and insurance adviser.”
That same month, Radio-Canada reported “this partner allegedly admitted to investigators from the Autorité des marchés financiers that he paid $40,000 to buy lists of Desjardins members’ personal information.” Investigation of the breach is still ongoing by the police.
Therrien said that although Desjardins had already recognized some of the security weaknesses that eventually led to the breach, and had developed a plan to correct them, they were “too slow to react.”
The investigation reveals that Desjardins had failed to meet several of its obligations under the Personal Information Protection and Electronic Documents Act, a federal privacy law that governs how private sector firms must obtain an individual’s consent when they collect, use or disclose that individual’s personal information.
The failures include not ensuring proper implementation of policies and procedures for managing personal information, some of which were inadequate; inadequate access controls and data segregation of the databases and directories, lack of sensitivity training and awareness for employees in handling personal information; lack of retention periods or procedures regarding the destruction of personal information.
According to OPC, Desjardins has agreed to improve its information security and protection of personal information based on the recommendations offered, and to provide progress reports to the OPC every 6 months. The firm will also engage external auditors to assess and certify its program, and submit an assessment report to the OPC.
In its press release on Monday, Desjardins said it has “made great strides in information security over the past 18 months and will continue to apply international best practices.”
