[BreachExchange] Millions Exposed in Desjardins Data Leak

[Destry Winant]

https://www.bloomberg.com/news/articles/2019-06-20/desjardins-says-2-9-million-clients-exposed-in-quebec-data-leak?srnd=markets-vp

Desjardins Group, the largest financial co-operative in North America,
said an “ill-intentioned” employee illegally exposed the personal
information of some 2.9 million credit union members in one of
Canada’s largest data leaks.

Laval police alerted the Quebec-based institution on June 14 with
information confirming that personal details from 2.7 million
individual clients and 173,000 business members had been shared
outside the firm, Desjardins said Thursday in a statement. The company
described the situation as the outcome of “unauthorized and illegal
use” of internal data by an employee who has since been fired.

“For Desjardins, it’s one in a lifetime,” Chief Operating Officer
Denis Berthiaume said in a phone interview. “We’ll make every effort
so that this will be the last one.”

The disclosure was the result of a months-long police investigation
precipitated when the lender spotted a suspicious transaction in late
2018 and contacted authorities, according to Berthiaume. By late May,
police told Desjardins that information from “a small number” of
members had been leaked.

Desjardins tightened security and did its own investigation to
identify the leak, identifying one employee who acted illegally. The
police probe ultimately identified an even larger number of people
affected.

“Our inquiry now is finished and it’s very clear in our minds that the
individual acted alone,” Berthiaume said. “We were really quick to
identify him. We suspended him, we stopped his data access and a few
days later we fired him.”

The information affected included names, birthdates, social insurance
numbers, email addresses, phone numbers, street addresses and details
on banking habits. Passwords, security questions and personal
identification numbers weren’t compromised, and the incident was not a
“cyberattack,” the financial co-operative said. Berthiaume said it
involved mostly Quebec clients and its banking operations.

Security Leaks

The lapse appears to be one of the largest in Canada. In May 2018,
Canadian Imperial Bank of Commerce alerted clients that “fraudsters”
claimed to have electronically breached personal and financial
information from about 40,000 accounts from its Simplii Financial
online banking business. Bank of Montreal was also affected in an
attack it believed came from outside the country, affecting less than
50,000 clients.

National Bank of Canada said a website glitch may have exposed the
personal information of about 400 customers in September 2017 due to
human error in setting up an electronic form on the Montreal-based
lender’s website.

Credit rating firm Equifax Inc. disclosed that intruders got access to
personal information of 19,000 Canadians in a 2017 data breach that
affected more than 143 million U.S. customers.

Data breaches aren’t just the purview of financial firms. Air Canada
locked accounts of clients using the airline’s mobile app last August
after detecting unusual login behavior. Goldcorp Inc. was hit by
hackers in 2016 as part of an attempt to extort money from the gold
company. A year earlier, hackers exposed the names of more than 37
million anonymous users at the Canadian-based adultery website
AshleyMadison.com run by Avid Life Media Inc.