Banking information of more than 2.9 million members of Desjardins, Canada’s biggest lending cooperative, has been compromised and was shared to third parties without authorization, a press release from the organization published yesterday said.
Around 2.7 million personal members and 173,000 business members were affected by the data breach, according to the investigation conducted by the Laval police. The cause of the data compromise: “an ill-intentioned employee who acted illegally and betrayed the trust of their employer.”
Desjardins has already confirmed that the said employee has already been fired as of writing and additional security measures have been put in place to ensure all the organization’s members’ personal and financial data remains protected.
The organization clarifies that the company was not in any form targeted by a cyber attack and they have not seen a spike in fraud cases involving their members’ accounts in recent months. All of the data breach was attributed to the recently fired employee who shared financial information of members to individuals outside the organization maliciously. Furthermore, they said that AccèsD passwords (for both personal and business accounts), security questions and PINs were not part of the compromised data.
As soon as the organization became aware of the situation, they hired experts, began working closely with the police, and introduced additional measures to protect their members’ personal information, accounts, and assets.
“We understand that this is a worrying situation. We sincerely regret the inconvenience it has caused. Your assets and accounts at Desjardins are protected—you won’t suffer a financial loss if unauthorized transactions are made in your Desjardins accounts as a result of this situation,” wrote the company to console the affected victims.
Furthermore, the company said that they have already contacted authorities including Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec and the Autorité des marchés financiers to report the incident.
As part of their mitigation efforts, Desjardin’s are currently monitoring the activity in all their members’ accounts, and they are taking additional steps to confirm our members’ and clients’ identities when they call their Desjardins caisse or our AccèsD call center.
“Additional monitoring and protection measures were put in place on all member accounts. You will also notice that the procedures for confirming your identity in person and over the phone have been strengthened. Other measures have also been put in place, but these must remain confidential to ensure their effectiveness,” the press release reads.
Desjardins is the leading financial cooperative in Canada, with more than seven million active clients and members. Rated one of Canada’s top 100 employers by Mediacorp Canada, the organization is home to more than four thousand employees and more than three thousand board members. Desjardins is the financial institution with the largest regional presence in Quebec and the only financial institution established in 240 towns and villages.
Meanwhile, the company has already notified their affected members through a letter sent by the company regarding the data breach. As part of their efforts to help affected accounts secure their financial data and to mitigate the possible effects of the data breach, Desjardins also offered those who are concerned with a 5-year credit monitoring plan, paid for by the organization. The service includes daily access to your credit report, alerts of critical changes, and identity theft insurance.
They advised the affected members that the letter they received includes a personal activation code which they can use to activate their credit monitoring plan with Equifax before October 31, 2019.
They also advised those who administer a business or estate account, or have power of attorney for an account, they will receive a letter for each impacted account. As a result, they may receive more than one letter. Desjardins decided to proceed in this manner to make sure affected accounts were notified as quickly as possible. Consolidating their mailing lists would have taken extra time and is counterintuitive in resolving the data breach as fast as they can.
Furthermore, Desjardins is also encouraging their members who have not received a notification mail from them – meaning they are not part of those who are affected – to be vigilant.
“Be suspicious of any emails and text messages you receive that ask you to provide personal information. Desjardins will never send you unsolicited emails or text messages asking for personal information,” they said.
“Make sure all your recent account activity is legitimate.”