More than 2.9 million Desjardins Group members have had their personal information compromised in a data breach targeting Canada’s biggest credit union.
The incident stems from “unauthorized and illegal use of internal data” by an employee who has since been fired, Desjardins said Thursday in a statement. Computer systems were not breached, the cooperative said.
Names, dates of birth, social insurance numbers, addresses and phone numbers of about 2.7 million individual members were released to people outside the organization, Desjardins said. Passwords, security questions and personal identification numbers weren’t compromised, Desjardins stressed. About 173,000 business customers were also affected.
Calling the matter a “very serious situation,” Quebec’s Autorité des marchés financiers nevertheless expressed confidence that Desjardins officials “handled the situation with due rigour, transparency and speed and that the cooperation provided to law enforcement is full and complete. “
The incident “highlights the omnipresent risks to information security that all organizations must now contend with,” the financial markets watchdog said in a statement.
Desjardins said it learned of the breach when contacted by Laval police June 14. The company said it has implemented additional security measures to protect personal information, accounts and assets. It has also hired experts and is working closely with the Laval police.
“I’d like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud,” chief executive officer Guy Cormier said in the statement. “If they suffer a financial loss as a result of this situation, they will get their money back. We regret this situation and are making every effort to ensure that it doesn’t happen again.”
All members affected will receive a letter from Desjardins.
As a precaution, Desjardins pledged to offer those affected a credit-monitoring plan and identity theft insurance for a year. Desjardins will pay for the plan.