A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

Series of gaps allowed massive Desjardins data breach, privacy watchdog says

The incident compromised the data of nearly 9.7 million Canadians

A series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest to date in the Canadian financial services sector, the federal privacy watchdog has found.

In a report today, privacy commissioner Daniel Therrien said Desjardins did not demonstrate the level of attention needed to protect the sensitive personal information entrusted to its care.

The incident compromised the data of nearly 9.7 million Canadians.

“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference today.

For at least 26 months, a malicious employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.

This information was originally stored in two data warehouses to which the employee in question had limited access, the commissioner said.

However, other employees, in the course of fulfilling their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, Therrien found.

The commissioner says the investigation into the breach sheds light on the risks of internal threats, whether they are intentional or not.

The investigation revealed that Desjardins failed to meet several of its obligations under the federal privacy law governing companies. Therrien found:

  • Desjardins did not ensure proper implementation of its policies and procedures for managing personal information, some of which were inadequate;
  • The access controls and data segregation of the company’s databases and directories were lacking;
  • Employee training and awareness were inadequate, considering the sensitive nature of the personal information;
  • Desjardins did not have proper procedures regarding the periodic destruction of personal information.

Desjardins agreed to a series of recommendations to improve information security and the protection of personal data, Therrien said.

The company has committed to provide progress reports every six months as well as hire external auditors to assess and certify its programs.

Therrien’s office and the Commission d’accès à l’information du Québec, which also published its report today, co-ordinated their respective probes.

Jim Bronskill, The Canadian Press

Like us on Facebook and follow us on Twitter.

Want to support local journalism? Make a donation here.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

This Dec. 2, 2020, file photo provided by Johnson & Johnson shows vials of the COVID-19 vaccine in the United States. (Johnson & Johnson via AP)
Interior Health notes 80 new COVID-19 cases over the weekend

108 people in the region have died from the virus

Last week warming temperatures were a concern for Avalanche Canada forecasters, and those trends likely contributed to an avalanche that killed a West Kootenay snowmobiler on Thursday, March 4. Jen Coulter file photo.
Warming trend contributed to Kaslo fatality: Avalanche Canada

Concern for persistent layers has reduced since then

A health-care worker prepares a dose of the Pfizer-BioNTech COVID-19 vaccine at a UHN COVID-19 vaccine clinic in Toronto, Thursday, Jan. 7, 2021. A single dose of Pfizer-BioNTech’s COVID-19 vaccine is barely enough to cover the average pinky nail but is made up of more than 280 components and requires at least three manufacturing plants to produce. THE CANADIAN PRESS/Nathan Denette
COVID-19 immunizations set to begin for age-based cohorts

Eligible seniors can book appointments through a call centre starting Monday, March 8.

(Phil McLachlan/Capital News)
City of Kimberley has reserve fund for potential police contract increases

Currently city has about half of projected new contract costs in reserve

Forty-eight vaccination clinics will open across Interior Health beginning March 15. (Canadian Press)
48 COVID-19 vaccine clinics to open across Interior Health

Select groups can book appointments starting Monday

(The Canadian Press)
‘Worse than Sept. 11, SARS and financial crisis combined’: Tourism industry in crisis

Travel services saw the biggest drop in active businesses with 31 per cent fewer firms operating

A special committee has been appointed to look at reforming B.C.’s police act and is inviting the public to make submissions until April 30, 2021. (Black Press media file)
Have thoughts on B.C.’s review of the provincial Police Act?

Submissions will be accepted until April 30

Cottonwoods Care Home in Kelowna. (Google Maps)
New COVID-19 outbreak at Kelowna care home includes fully vaccinated seniors: Henry

Two staff and 10 residents tested positive at Cottonwoods Care Centre

Excerpts from a conversation between Bria Fisher and the fake truLOCAL job. Fisher had signed a job agreement and was prepared to start work for what she thought was truLOCAL before she learned it was a scam. (Contributed)
B.C. woman warning others after losing $3,000 in job scam

Bria Fisher was hired by what she thought was a Canadian company, only to be out thousands

Join Black Press Media and Do Some Good
Join Black Press Media and Do Some Good

Pay it Forward program supports local businesses in their community giving

Provincial health officer Dr. Bonnie Henry and Health Minister Adrian Dix provide a regular update on the COVID-19 situation, B.C. legislature, March 2, 2020. (B.C. government)
B.C.’s COVID-19 cases: 545 Saturday, 532 Sunday, 385 Monday

Focus on Prince Rupert, Lower Mainland large workplaces

Rising accident rates and payout costs have contributed to billion-dollar deficits at ICBC. (Comox Valley Record)
B.C. appealing decision keeping ICBC injury cases in court

David Eby vows to ‘clip wings’ of personal injury lawyers

(Black Press Media files)
Hosts charged, attendees facing COVID fines after Vancouver police bust party at condo

Police had previously received 10 complaints about that condo

Most Read