A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

Series of gaps allowed massive Desjardins data breach, privacy watchdog says

The incident compromised the data of nearly 9.7 million Canadians

A series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest to date in the Canadian financial services sector, the federal privacy watchdog has found.

In a report today, privacy commissioner Daniel Therrien said Desjardins did not demonstrate the level of attention needed to protect the sensitive personal information entrusted to its care.

The incident compromised the data of nearly 9.7 million Canadians.

“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference today.

For at least 26 months, a malicious employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.

This information was originally stored in two data warehouses to which the employee in question had limited access, the commissioner said.

However, other employees, in the course of fulfilling their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, Therrien found.

The commissioner says the investigation into the breach sheds light on the risks of internal threats, whether they are intentional or not.

The investigation revealed that Desjardins failed to meet several of its obligations under the federal privacy law governing companies. Therrien found:

  • Desjardins did not ensure proper implementation of its policies and procedures for managing personal information, some of which were inadequate;
  • The access controls and data segregation of the company’s databases and directories were lacking;
  • Employee training and awareness were inadequate, considering the sensitive nature of the personal information;
  • Desjardins did not have proper procedures regarding the periodic destruction of personal information.

Desjardins agreed to a series of recommendations to improve information security and the protection of personal data, Therrien said.

The company has committed to provide progress reports every six months as well as hire external auditors to assess and certify its programs.

Therrien’s office and the Commission d’accès à l’information du Québec, which also published its report today, co-ordinated their respective probes.

Jim Bronskill, The Canadian Press

Like us on Facebook and follow us on Twitter.

Want to support local journalism? Make a donation here.

Just Posted

Comox Valley medical clinics are all open, including the availability to book face-to-face care (i.e. for a physical examination) as per your clinic’s protocol (most clinics operate a “virtual care first” policy). ADOBE STOCK IMAGE
Northern Health launches virtual primary care clinic

Northerners without a family physician or nurse practitioner will now have access to primary care

Demonstrators lined Hwy 16 May 5 to mark the National Day of Awareness for Missing and Murdered Indigenous Women and Girls. (Deb Meissner photo)
VIDEO: Smithers gathering marks Red Dress Day honouring missing and murdered Indigenous women and girls

Approximately 70 people lined Hwy 16, drumming, singing and holding up placards

“Skeena,” by John Hudson and Paul Hanslow is one of five fonts in the running to become the default for Microsoft systems and Office programs. (Black Press Media File Photo)
Font named after Skeena River could become the next Microsoft default

One of the five new fonts will replace Calibri, which has been Microsoft’s default since 2007

The road to Telegraph Creek (Hwy 51) was closed April 15 due to a washout. On May 4, the road was opened to light-duty passenger vehicles during specific times. (BC Transportation and Infrastructure/Facebook)
Telegraph Creek Road opens for light-duty vehicles

Road has been closed since April 15 due to a washout

Prince Rupert was one of the first B.C. communities targeted for mass vaccination after a steep rise in infections. Grey area marks community-wide vaccine distribution. (B.C. Centre for Disease Control)
B.C. tracks big drop in COVID-19 infections after vaccination

Prince Rupert, Indigenous communities show improvement

The bodies of Carlo and Erick Fryer were discovered by a local couple walking on a remote forest road in Naramata on May 10. (Submitted)
Kamloops brothers identified as pair found dead near Penticton

The bodies of Carlo and Erick Fryer were discovered by a local couple walking

Municipal governments around B.C. have emergency authority to conduct meetings online, use mail voting and spend reserve funds on operation expenses. (Penticton Western News)
Online council meetings, mail-in voting option to be extended in B.C.

Proposed law makes municipal COVID-19 exceptions permanent

Cannabis bought in British Columbia (Ashley Wadhwani/Black Press Media)
Is it time to start thinking about greener ways to package cannabis?

Packaging suppliers are still figuring eco-friendly and affordable packaging options that fit the mandates of Cannabis Regulations

A nurse prepares a dose of the COVID-19 vaccine in Kelowna on Tuesday, March 16. (Phil McLachlan/Black Press)
British Columbians aged 20+ can book for vaccine Saturday, those 18+ on Sunday

‘We are also actively working to to incorporate the ages 12 to 17 into our immunization program’

The AstraZeneca-Oxford University vaccine. (AP/Eranga Jayawardena)
2nd person in B.C. diagnosed with rare blood clotting after AstraZeneca vaccine

The man, in his 40s, is currently receiving care at a hospital in the Fraser Health region

Signage for ICBC, the Insurance Corporation of British Columbia, is shown in Victoria, B.C., on February 6, 2018. THE CANADIAN PRESS/Chad Hipolito
$150 refunds issued to eligible customers following ICBC’s switch to ‘enhanced care’

Savings amassed from the insurance policy change will lead to one-time rebates for close to 4 million customers

Police investigate a fatal 2011 shooting in a strip mall across from Central City Shopping Centre, which was deemed a gang hit. The Mayor’s Gang Task Force zeroed in on ways to reduce gang involvement and activity. (File photo)
COVID-19 could be a cause in public nature of B.C. gang violence: expert

Martin Bouchard says the pandemic has changed people’s routines and they aren’t getting out of their homes often, which could play a role in the brazen nature of shootings

Tinder, an online dating application that allows users to anonymously swipe to like or dislike other’s profiles. (Black Press Media files)
B.C. man granted paternity test to see if Tinder match-up led to a ‘beautiful baby’

The plaintiff is seeking contact with the married woman’s infant who he believes is his child

Most Read