[BreachExchange] Desjardins CEO testifies over massive data breach incident

[Destry Winant]

https://www.insurancebusinessmag.com/ca/news/cyber/desjardins-ceo-testifies-over-massive-data-breach-incident-192813.aspx

The group president and CEO of Desjardins was called to testify for
his company, following a massive data breach incident that left the
data of all of the co-operative’s 4.2 million clients exposed.

Chief executive Guy Cormier spoke to Quebec legislators on Thursday,
The Canadian Press reported. In his testimony, he said that data
thefts happen all the time, adding that lawmakers should redirect
their attention from his company and “expand” their focus to include
the larger problems surrounding securing personal information.

Cormier also mentioned other cases of major data breaches in recent
memory, specifically those involving Marriott, Disney and Sephora. He
also called internal fraud the “bete noire” of all organizations.

In June, Desjardins initially reported that the information of 2.9
million customers had been affected by the breach, which was caused by
an employee who leaked the data. The information compromised involved
names, addresses, birth dates, social insurance numbers, email
addresses, and even data on transaction habits.

The information did not include banking data or passwords.

Cormier said that his company has “worked hard” since June to address
the data breach.

“We fired the employee at fault. We developed new protections that are
unequalled in Canada and also in a record time,” he explained.

The chief executive added that his bank invests $70 million annually
in IT protection and cybersecurity.

Adamant that his company handled the situation as best it could,
Cormier suggested that other companies that have suffered breaches of
their own could learn a lesson from Desjardins.

“Who else acted with as much transparency, and the same sense of duty
that Desjardins has shown in the past months?” he said.

The Canadian Press said that the Quebec government is preparing two
bills related to personal data security. Both are scheduled to be
tabled in the weeks to come.