A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

A Caisse populaire Desjardins sign is seen in Montreal on Tuesday, June 18, 2019. The federal privacy watchdog says a series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest in the Canadian financial services sector. THE CANADIAN PRESS/Paul Chiasson

Series of gaps allowed massive Desjardins data breach, privacy watchdog says

The incident compromised the data of nearly 9.7 million Canadians

A series of technological and administrative gaps caused a high-profile data breach at Desjardins — the largest to date in the Canadian financial services sector, the federal privacy watchdog has found.

In a report today, privacy commissioner Daniel Therrien said Desjardins did not demonstrate the level of attention needed to protect the sensitive personal information entrusted to its care.

The incident compromised the data of nearly 9.7 million Canadians.

“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference today.

For at least 26 months, a malicious employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.

This information was originally stored in two data warehouses to which the employee in question had limited access, the commissioner said.

However, other employees, in the course of fulfilling their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, Therrien found.

The commissioner says the investigation into the breach sheds light on the risks of internal threats, whether they are intentional or not.

The investigation revealed that Desjardins failed to meet several of its obligations under the federal privacy law governing companies. Therrien found:

  • Desjardins did not ensure proper implementation of its policies and procedures for managing personal information, some of which were inadequate;
  • The access controls and data segregation of the company’s databases and directories were lacking;
  • Employee training and awareness were inadequate, considering the sensitive nature of the personal information;
  • Desjardins did not have proper procedures regarding the periodic destruction of personal information.

Desjardins agreed to a series of recommendations to improve information security and the protection of personal data, Therrien said.

The company has committed to provide progress reports every six months as well as hire external auditors to assess and certify its programs.

Therrien’s office and the Commission d’accès à l’information du Québec, which also published its report today, co-ordinated their respective probes.

Jim Bronskill, The Canadian Press

Like us on Facebook and follow us on Twitter.

Want to support local journalism? Make a donation here.

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Adams Lake Kukpi7 (Chief) Cliff Arnouse (pictured), Neskonlith Kukpi7 Judy Wilson and Little Shuswap Lake Kukpi7 Oliver Arnouse released a joint notice regarding confirmed cases of COVID-19 in their respective communities. (File photo)
Secwepemc First Nation bands responding to COVID-19 cases in their communities

Adams Lake, Neskonlith and Little Shuswap Lake band chiefs release joint notice

The CSRD will be hosting online budget consultations and their board meetings will also be streamed online for the foreseeable future. (CSRD Image)
Columbia Shuswap Regional District budget and board meetings will be held online

A first draft of the budget is available on the regional district’s website

Canadian poet Wali Shah, former NHL’er Corey Hirsch, author, activist and empowerment coach Ashley Bendiksen, and successful Salmon Arm entrepreneur Missy MacKintosh are among the guest speakers participating in the Shuswap Youth Launch event on Thursday, Feb. 25. (Shuswap Youth Launch image)
Shuswap youth excited to launch inspiring virtual event

Corey Hirsch, Wali Shah, Missy MacKintosh among guest speakers

A logging truck spilled its load on Squilax-Anglemont Road after failing to negotiate a shard corner on Jan. 19. (Google Maps image)
Logging truck loses load, blocks traffic in North Shuswap

Jan. 19 incident on Squilax-Anglemont Road obstructed traffic for several hours

Interior Health reported 91 new COVID-19 cases in the region Jan. 20, 2021 and three additional deaths. (Jennifer Smith - Morning Star)
95 new COVID-19 cases in Interior Health, two deaths

Another member of Vernon’s Noric House has passed

Toronto Public Health nurse Lalaine Agarin sets up for mass vaccination clinic in Toronto, Jan. 17, 2021. B.C. is set to to begin its large-scale immunization program for the general public starting in April. THE CANADIAN PRESS/Frank Gunn
B.C.’s COVID-19 mass vaccinations expected to start in April

Clinics to immunize four million people by September

(Phil McLachlan - Capital News)
‘It’s incredibly upsetting’: Kelowna health care worker demands WestJet ticket refund

Kelowna woman has been waiting almost a year for a refund on her Kelowna to Edmonton flight

The District of Saanich’s communications team decided to take part in a viral trend on Thursday and photoshopped U.S. Senator Bernie Sanders into a staff meeting photo. (District of Saanich/Twitter)
Bernie Sanders makes guest appearance municipal staff meeting in B.C.

Vancouver Island firefighters jump on viral trend of photoshopped U.S. senator

School District 57 headquarters in Prince George. (Mark Nielsen, Local Journalism Initiative Reporter)
Prince George school district settles with sexual abuse victim

Terms were part of an out-of-court settlement reached with Michael Bruneau, nearly four years after he filed a lawsuit

The Oliver Fire Department’s “new” truck was built with the help of various local companies. It was completed Thursday, Jan. 21, 2021. (Oliver Fire Dept. / Facebook)
It takes a town to build a truck: The Oliver Fire Department gets creative

Ingenuity and local connections played an important role in the upgrading fire truck

Surrey provincial court. (File photo: Tom Zytaruk)
New COVID-19 protocols set for provincial courthouses

The new rules were issued on Jan. 21, and took effect immediately

Police in Vancouver looking for male suspect who allegedly spat and attacked a store manager for not wearing a mask, at 7-Eleven near Alma Street and West 10th Avenue just before noon on Dec. 17, 2020. (Vancouver police handout)
VIDEO: Man spits on 7-Eleven manager over mask rule, sparking Vancouver police probe

‘Unfortunately, the store manager sustained a cut to his head during the assault’

The Vancouver-based SAR team successfully rescued two lost snowshoers off of the west side of Tim Jones Peak in the early morning of Monday, Jan. 19. (North Shore Rescue photo)
B.C.’s busiest SAR team raises alarm after 2021 begins with fatality, multiple rescues

‘People beyond ski resort areas of Seymour, Grouse, and Cypress go without cell reception,’ SAR warns

A ‘Notice of trespass and personal liability’ has been ‘served’ by a mysterious group called the Sovereign Republic of British Columbia to several Okanagan mayors.
Mysterious group serves notice to Okanagan-Shuswap mayors, demanding end to ‘unlawful’ COVID rules

26-page letter sent by ‘Sovereign Republic of British Columbia’

Most Read