Quebec-based credit union the Desjardins Group is grappling with a major leak of customers’ personal information.
The financial institution has disclosed that an employee with "ill-intentions" at Desjardins Group collected the personal information of nearly three million people and businesses and shared it outside the bank.
Specifically, the data breach impacts 2.7 million people and 173,000 businesses, more than 40% of the co-operative's clients and members. Desjardins Group is the largest federation of credit unions in North America, with outlets across Quebec and Ontario. The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.
Desjardins Group said that passwords, security questions and personal identification numbers were not compromised in the data leak. Desjardins Group President Guy Cormier said at a news conference that the security breach was not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.
That employee has been fired and arrested by police but has not yet been charged. The data breach is one of the largest ever among Canadian financial institutions. It took several months for the Desjardins Group to learn the scope of the data-gathering scheme, after it referred a suspicious transaction to Laval police in December 2018.
