Last year's incident "could have happened to other companies," federal privacy watchdog warns
A federal investigation into last year’s data breach at Desjardins, which ultimately compromised the personal information of 9.7 million Canadians, found that it was caused by a “series of gaps in administrative and technological safeguards” on the part of Desjardins, the largest federation of credit unions in North America.
The incident, the largest of its kind in Canada’s financial sector, was caused by a “malicious employee” who siphoned sensitive information collected from millions of Desjardins customers during a 26-month period.
Read more: Data breach attempts on Canadian organizations intensify
In his report on the investigation, federal privacy commissioner Daniel Therrien said that Desjardins “did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
“Desjardins had already identified some of the deficiencies that ultimately led to the breach, but was too slow to react,” said Therrien.
The investigation revealed that Desjardins had failed to meet several of its legal obligations to safeguard the personal information of its customers – including failing to ensure the proper implementation of policies and procedures for managing personal information; inadequate access controls and data segregation; insufficient employee training and awareness of the sensitive nature of the information they handle; and not implementing retention periods or procedures regarding the destruction of personal information.
“It is difficult to see how an employee managed to exfiltrate Desjardins clients’ personal information for at least 26 months and that the financial institution only initially learned about what was happening from the police,” said Therrien. “Data protection is complex, especially for a large company like Desjardins, which deals with millions of people as well as business partners. The technologies involved are also complex. However, a company the size of Desjardins has the means, and the legal obligation to deploy these means, to protect its members’ data.”
Therrien also warned that what happened to Desjardins “could have happened to other companies.”
“As we know, these types of breaches happen all too often,” said Therrien. “This breach should serve as a lesson to other organizations.”