[BreachExchange] Potential scope of Desjardins data breach widens to include another 2 million credit card holders

Destry Winant destry at riskbasedsecurity.com
Wed Dec 11 10:12:10 EST 2019


Desjardins Group says the former employee suspected of orchestrating a
massive data breach also had access to the personal information of a
further 1.8-million credit card holders.

These credit card holders are not members of Desjardins, Canada's
biggest federation of credit unions. They are in addition to the 4.2
million members already known to be affected by the data breach.

The data breach was first made public in June. At the time,
authorities alleged the suspect  — an employee who has since been
fired — had transferred the personal information of members to a third

On a conference call Tuesday, Desjardins's executives said they don't
believe the personal information of the credit card holders was
transferred to a third party. They were informing the public as
"preventive" measure, they said.

Desjardins's executives also said the suspect only had access to
limited amounts of data.

"No credit card was compromised, nor was any payment system like
Interac or debit card. Passwords, security questions and personal
identification numbers also weren't affected," said Réal Bellemare,
Desjardins's newly appointed chief financial officer.

Desjardins also announced Tuesday that it is extending its
credit-monitoring insurance to anyone who does business with the

4.2 million Desjardins members affected by data breach, credit union now says

The insurance was initially available to those members who were
affected by the breach. It will now be available to both members and
clients, current and past — an estimated 8 million people across

Earlier this month, two senior executives at Desjardins left the
organization following an internal audit into the data breach.

"The events of recent months brought me to the conclusion that we had
to change the makeup of senior management," president and CEO Guy
Cormier said after replacing his CFO, Denis Berthiaume, and the
vice-president of information technology, Chadi Habib.

More information about the BreachExchange mailing list