Huge data theft by employee at Canadian credit union

Employee misconduct is among the biggest worries of CISOs. They hope staffers can be trusted so the focus is on external threats. And the fact is most cyber incidents will come from outside the firewall.

However, rogue employees can bite you. Quebec based credit union Desjardins Group found that out earlier this month when it learned a staffer had, in its words “shared” the personal information of more than 2.7 million individual members and 173,000 businesses with a person or persons outside the institution.

The institution, which has branches in Quebec and Ontario, gave some details Thursday.

It’s one of the largest publicly-reported data breaches among Canadian financial institutions.

Data of individuals exposed included first and last name, date of birth, social insurance number, address, phone number, email address and details about customer banking habits and Desjardins products.  Data exposed of business customers included addresses, telephone numbers, and the names of owners and AccèsD Affaires account users. Some information about owners or AccèsD Affaires users may have also been also been taken.

Passwords, security questions, and personal identification PIN numbers were not compromised.

“This incident was not a cyberattack,” the bank said in a statement. Desjardins computer systems weren’t breached during this incident, it emphasized.

The employee has been fired and police from the city of Laval are investigating. According to the CBC, Dejardin turned to the force last December after becoming suspicious about a transaction. However, apparently it was only this month when the data theft was confirmed.

The Globe and Mail quoted Desjardins chief operating officer Denis Berthiaume as saying the employee was  “a data specialist, who connived to get access to information he should not have had access to, and transferred it to a third party,” The Globe also said Dejardins doesn’t know who the data went to.

The most recently-reported breach of security controls at a Canadian financial institution was last May when the Bank of Montreal and CIBC’s Simplii Financial suffered data breaches with a combined total of 90,000 accounts hit.

To combat insider threats organizations often use behavioral analysis software, which looks for abnormal behaviours as a suspicious sign. However, that might not be noticed if the staffer has legitimate access to sensitive data.

While many surveys of CIOs and CISOs suggest insider threats are among their biggest concerns the extent of the threat isn’t clear. According to the annual Verizon Data Breach Investigations Report, which looks at hundreds of security incidents around the world, on average insiders are responsible for no more than 30 per cent of breaches.

Depending on the source as a category insider threats also include innocent misconfiguration of hardware and software.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now