The Canadian cooperative bank Desjardins and local authorities are currently dealing with a particularly hefty case of data abuse: A bank employee – who has since been dismissed – managed to steal the personal data of roughly 2.9 million customers. About 40% of Desjardins’ customers have been affected by the incident. Today, we are going to take a closer look at this case of internal data abuse.

Contents (show)

Data Theft Due to Poor IT Security

Back in December 2018, the bank had noted a suspicious transaction and reported it directly to Laval police (Quebec). Since then, the bank has worked closely with authorities to investigate the incident and find the offender responsible for the transaction. The true extent of the incident was revealed only recently, and police informed Desjardins about this on June 14th, 2019.

A member of the bank’s IT department had abstracted and passed on the data of over 2.7 million private customers and 173.000 business customers. This incident is not an example of a hacker attack from outside – it is an example of data abuse from within. For Desjardins, this fact is especially bitter to digest because the damage done to the bank’s image is likely to prevail for years to come.

Lack of Access Management Enabled Data Abuse

The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records. It is without doubt that Desjardins‘ access management system was not sophisticated enough to prevent the attack. The culprit was immediately fired and arrested by the police.

What Data Were Affected?

Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.

The stolen records of business customers include company names, addresses, phone numbers, names of owners as well as names of AccèsD Affaires account users.


Passwords, security questions and pin codes were not affected. The bank immediately made the incident public and informed all persons concerned.

Financial Consequences for Desjardins

Aside from the damage to the bank’s image and the loss of credibility toward its customers, Desjardins also face significant financial consequences. In a class action lawsuit filed with the Supreme Court of Quebec, the financial institution is being accused of negligence and of failing to fulfill its obligation to adequately protect customer data.

For those affected, damages of 300 US dollars each are being claimed. In addition, Desjardins is offering a 5-year credit monitoring service to all affected customers. The service includes daily access to credit reports, notification of important changes and identity theft insurance.

Ever since the attack became known, the bank has been working with police, authorities and IT security experts to minimize the damage and to guarantee better security in the future.

[FREE WHITEPAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

[FREE WHITEPAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Go to download

Financial Services Authority Warns of Fraud

Quebec’s financial services authority warned that Desjardins’ customers may now fall prey to fraudulent emails, text messages, and phone calls due to the data breach. Scammers may try to contact the victims of the incident under the false pretense of needing to take security measures and wanting to provide updates regarding the event.

Access Management Strategy Can Provide Protection

The incident demonstrates the immense damage potential posed by internal IT security staff . While businesses fear hacker attacks and try to take great precautions to prevent outside attacks from happening, they often neglect the potential dangers lurking within. What we know for sure is that people can only steal data they actually have access to.

Only a sophisticated access management system or software for identity and access management can provide sufficient protection for your data. Our blogpost Access Management vs IAM covers the differences between these two solutions and outlines which system best suits which business model.

Sign up for our webinar!

“Top 5 Access Management Risks” –
held by Helmut Semmelmayer, tenfold Software GmbH

Register for free

Webinar Anmeldung Icon

Sign up for our webinar!

“Top 5 Access Management Risks” –
held by Helmut Semmelmayer, tenfold Software GmbH

Register for free