The Canadian cooperative bank Desjardins and domestic authorities are currently dealing with a particularly serious case of data theft: A bank employee, who has since been dismissed, swiped the personal data of roughly 2.9 million customers. About 40% of Desjardins’ customers are affected by the incident.
Back in December 2018, the bank had noted a suspicious transaction and reported it directly to Laval police (Quebec). Since then, the bank has worked closely with the authorities to investigate the incident and find the offender responsible for the transaction. The true extent of the disaster was only recently revealed and police informed Desjardins about it on June 14th, 2019.
An internal member of the IT department had stolen data from 2.7 million private customers and 173.000 business customers and passed it on to third parties. The incident was not a hacker attack from outside, but a case of data abuse from within – a fact that is especially bitter to digest, for it can be assumed that the damage done to the bank’s image will prevail for years to come.
The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records. It is without doubt that Desjardins‘ access management system was not sophisticated enough to prevent the attack. The culprit was immediately fired and arrested by the police.
What Data Were Affected Precisely?
Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.
The stolen business customer records include company names, business addresses, business phone numbers, names of owners and users of the AccèsD Affaires accounts.
Passwords, security questions and pin codes were not affected. The bank immediately made the incident public and informed all persons concerned.