A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

Series of gaps allowed massive Desjardins data breach, privacy watchdog says

The incident compromised the data of nearly 9.7 million Canadians

A series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest to date in the Canadian financial services sector, the federal privacy watchdog has found.

In a report today, privacy commissioner Daniel Therrien said Desjardins did not demonstrate the level of attention needed to protect the sensitive personal information entrusted to its care.

The incident compromised the data of nearly 9.7 million Canadians.

“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference today.

For at least 26 months, a malicious employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.

This information was originally stored in two data warehouses to which the employee in question had limited access, the commissioner said.

However, other employees, in the course of fulfilling their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, Therrien found.

The commissioner says the investigation into the breach sheds light on the risks of internal threats, whether they are intentional or not.

The investigation revealed that Desjardins failed to meet several of its obligations under the federal privacy law governing companies. Therrien found:

  • Desjardins did not ensure proper implementation of its policies and procedures for managing personal information, some of which were inadequate;
  • The access controls and data segregation of the company’s databases and directories were lacking;
  • Employee training and awareness were inadequate, considering the sensitive nature of the personal information;
  • Desjardins did not have proper procedures regarding the periodic destruction of personal information.

Desjardins agreed to a series of recommendations to improve information security and the protection of personal data, Therrien said.

The company has committed to provide progress reports every six months as well as hire external auditors to assess and certify its programs.

Therrien’s office and the Commission d’accès à l’information du Québec, which also published its report today, co-ordinated their respective probes.

Jim Bronskill, The Canadian Press

Like us on Facebook and follow us on Twitter.

Want to support local journalism? Make a donation here.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Alberta chief medical officer of health Dr. Deena Hinshaw reported 11 additional deaths over the past 24 hours. (photography by Chris Schwarz/Government of Alberta
Red Deer active COVID-19 cases drop slightly

Province reports 267 additional COVID-19 cases, 11 new deaths

On Monday, Feb. 22, Island Health listed Glacier View Secondary on 241 Beacher Drive in Courtenay as having a COVID-19 exposure Feb. 17 and 18. Black Press file photo
Red Deer sets new COVID-19 case record

There are now 565 active cases in Red Deer

Across the province, there are 2,738 active cases of COVID-19, with 18,417 recovered cases. There have been 288 deaths from the virus in Alberta since the beginning of the pandemic. (File photo)
Red Deer has 564 of central zone’s 766 active COVID-19 cases

Government of Alberta identifies 328 new COVID-19 cases Sunday

COVID
Red Deer up to 546 active cases of COVID-19

Province added 380 additional cases Saturday

As of Friday, Alberta has under 10,000 active COVID-19 cases. (Image courtesy CDC)
Red Deer surpasses 500 active COVID-19 cases

212 active COVID-19 cases connected to Olymel outbreak

Bookings for COVID-19 vaccines for people age 75 or older start Wednesday. (File photo by THE CANADIAN PRESS)
Updated: Delays for seniors booking for vaccine appointments

By 9:20 a.m. Wednesday, 4,500 seniors had booked their appointments

Minister Rick Wilson poses with Katie at the Boys and Girls Club of Wetaskiwin, both wearing her Pink Shirt Day design. Facebook/ Boys and Girls Club of Wetaskiwin.
Wetaskiwin Boys and Girls club Pink Shirt day design focuses on kindness

Katie with the Boys and Girls Club of Wetaskiwin created this year’s Pink Shirt Day design.

Black Press File Photo
Valentine’s Day shooting in Maskwacis leaves one male in hospital, one male in custody

19-year-old Francis Edward Nepoose from Maskwacis has been charged with attempted murder.

Red Deer Court of Queen’s Bench Justice Anne Kirker is expected to sentence Satnam Singh Sandhu on Friday. Red Deer Advocate file photo
Updated: Sylvan Lake man pleads guilty to manslaughter for strangling wife in 2019

Kulvinder Sandhu was strangled and died in hospital several days later

Sentencing delayed in the stabbing death of Samantha Sharpe, of Sunchild First Nation. (Red Deer Advocate file photo)
Central Alberta man not criminally responsible for killing his father in 2020: judge

Psychiatrist testified Nicholas Johnson was psychotic when he killed his father

The cover of “Hometown Asylum: A History and Memoir of Institutional Care.” (Submitted)
Ponoka-born author writes history of old mental hospital

“Hometown Asylum: A History and Memoir of Institutional Care” covers 1911 to 1971

Jacqueline Buffalo. (Photo submitted)
TikTok connects Indigenous women during pandemic

Maskwacis influencers share their stories

Todd Hirsch. (Image: screenshot)
ATB vice president gives financial forecast to Ponoka chamber

Predictions for reopening of the economy and recovery outlined

The 24/7 Integrated Response Hub is currently located in the Wetaskiwin Civic Building. Shaela Dansereau/ Pipestone Flyer.
Wetaskiwin business owners concerned over 24/7 Integrated Hub’s impact downtown

Downtown businesses have had loss of customers, threats, increased property damage and break-ins.

Most Read