The mass data breach at Desjardins — the largest ever in the Canadian financial services sector — was caused by a series of gaps in the Quebec company’s security setup, according to a new investigation by the federal and Quebec privacy commissioners.
“Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” Daniel Therrien, the privacy commissioner of Canada, wrote in a release published this morning.
“The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach.”
The report says the breach compromised the data of nearly 9.7 million Canadians. The accounts included seven million based in Quebec, said Diane Poitras, the president of Quebec’s Commission d’accès à l’information.
For at least 26 months, a “malicious” employee copied sensitive personal information collected by Desjardins from customers who had bought or received products offered directly or indirectly by the organization, the report says.
The information was originally stored in two data warehouses to which the employee had limited access. However, other employees, as part of their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, the report says.
Speaking to reporters, Therrien called it unacceptable that a company the size of Desjardins didn’t have the ability to prevent the breach.
“Canadians expect banking information to have a high level of protection, given its sensitivity,” he said.
The privacy commissioners’ probe found a series of gaps in the company’s administrative and technological safeguards, including:
- Desjardins didn’t ensure the proper implementation of its policies and procedures for managing personal information, some of which were inadequate to begin with.
- Access controls and data segregation of the databases and directories were inadequate.
- Employee training and awareness were lacking given the sensitive nature of the personal information the organization had.
- The company didn’t have procedures regarding the periodic destruction of personal information.
“Desjardins had recognized some of the security weaknesses that ultimately led to the breach and had developed a plan to remedy them. Nonetheless, it failed to rectify the issues in time to prevent what happened,” said Therrien.
“Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police.”
However, Therrien said he is satisfied with the mitigation measures Dejardins offered to the affected customers after the breach.
For its part, Desjardins said it wasn’t conducting interviews in response to the report. In a statement, the company said that it will work over the next few years to create what it called a digital identity platform. The company said this will allow information to be shared more securely and give people more control over their own data.