Desjardins knew it had vulnerabilities before massive 2019 data breach, privacy watchdog says

Desjardins Group did not have appropriate safeguards in place to prevent a “malicious employee” from stealing the information of 9.7 million customers over 26 months, says Canada’s privacy commissioner – which led to the biggest-ever data breach in the country’s financial services sector.

The Office of the Privacy Commissioner of Canada, its Quebec counterpart and the province’s financial regulator published on Monday the results of their investigations into the breach, which was first reported in 2019. They found that the Desjardins marketing team had access to a shared directory of client information that should have had more stringent security, allowing a member of that team to transfer “financial and identity profiles” to USB keys from their computer.

The privacy watchdogs found that some of Desjardins’ policies and procedures for managing personal data were “inadequate” – and that it also failed to follow through with some of those procedures in the first place. Training to handle sensitive data was “lacking,” the investigators found, and the company hadn’t put proper procedures in place to manage the destruction of personal data.

Story continues below advertisement

“One of the most problematic issues that we’ve seen here is that Desjardins knew that it had vulnerabilities,” federal commissioner Daniel Therrien told a virtual press conference Monday. “To their credit, they were taking measures to correct those vulnerabilities, but did not do so sufficiently rapidly.”

He added that it was “unacceptable” that Desjardins didn’t have systems in place to monitor for this kind of employee-led breach. The privacy investigation found that Desjardins did not meet obligations under the federal Personal Information Protection and Electronic Documents Act. (Ottawa plans to overhaul that law soon to align it with jurisdictions such as the European Union and California, bringing with it what Innovation Minister Navdeep Bains describes as the strongest fines for data breaches in the G7.)

Quebec’s financial regulator, the Autorité des marchés financiers, said in its own report Monday that it had found Desjardins “had failed to comply with its legal obligation to apply sound and prudent management practices, which increased the odds of such an incident occurring.” It singled out the credit union’s senior management and board for not putting sufficient controls in place and not “adequately monitoring” plans to implement recommendations of both the regulator and its own internal auditors.

In a written response to the investigations’ findings, the credit union said it had agreed to recommendations to strengthen its security practices, including creating a retention schedule for destroying personal data after its purpose is no longer necessary. It must now submit a monthly report to the Quebec regulator to show progress in implementing recommendations.

Desjardins said it would appoint a chief data officer to manage its data practices and create a security office with a budget of more than $150-million. Last December, the credit union also created a special board committee to over its reaction to the privacy breach, which the company said Monday would continue to oversee the implementation of new policies and procedures.

“Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices,” the Desjardins statement said.

The information breach included names, dates of birth, home and e-mail addresses, phone numbers and social insurance numbers, as well as some account and transaction details.

Story continues below advertisement

Desjardins contested the extent of the data breach as described by the privacy watchdogs, saying that its evidence suggests that only 4.2 million clients with active potentially had their data exposed to a third party. “There is nothing that confirms that the ex-employee shared anyone else’s personal information with third parties,” the statement said.

But the investigators said that more than 4 million former account holders were also part of the breach, prompting them to highlight the importance of destroying outdated customer information. Some people whose information was exposed hadn’t had been a Desjardins client in decades, which Mr. Therrien said he found “startling.”

“There’s obviously a link between maintaining information that you no longer need as a company, and exposing your former clients to this kind of breach,” Mr. Therrien said.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.