Canadian credit union group Desjardins has been criticised by the national privacy watchdog over last year’s data breach, which affected millions of customers.
Releasing his report on the incident earlier this week, privacy commissioner Daniel Therrien said the organisation had not paid enough attention to protecting the personal data in its care.
He found that a rogue employee had for more than two years siphoned sensitive personal information collected from customers who had purchased or received products through Desjardins.
In some cases this included first and last names, dates of birth, social insurance numbers, street addresses, telephone numbers, email addresses and transaction histories – leading to the potential for identity theft, said the report.
Mr Therrien told a press conference: “Canadians expect banking information to have a high level of protection, given its sensitivity.
“We recognise that’s easier said than done for a financial institution given the amount of personal data it owns and the level of complexity of its systems. However, an organisation such as Desjardins has the means to comply with the law.”
Mr Therrien’s report found that Desjardins had failed to meet several of its obligations under the federal privacy law.
This included: failure to ensure proper implementation of its policies and procedures for managing personal information; poor access control and data segregation in databases and directories; inadequate employee training; and a lack of proper procedures for the periodic destruction of personal information.
Desjardins agreed to recommendations to improve information security and the protection of personal data, and has committed to provide progress reports every six months, and to hire external auditors to assess its measures.
“Ultimately, we are satisfied with the overall mitigation scheme that Desjardins is providing to affected individuals, which goes beyond what we have seen from other organisations,” said Mr Therrien.
Posting its response on its website, Desjardins said it had cooperated fully with the regulatory authorities, and has developed strategies that are in line with their recommendations.
“These strategies have already been implemented or are being implemented right now,” it said.
Desjardins added that the financial regulator had also found the changes made to be “a clear improvement” and that its solvency, capital base, liquidity and profitability are not being called into question.
It said: “The privacy commissioners state that the breach affected 9.7 million individuals. This number corresponds to the number of active and inactive files that the ill-intentioned ex-employee had access to within Desjardins’s banking systems.
“These files belonged to individuals who at that time were caisse members or who were clients with a credit card or in-store financing, as well as former members and clients with those financing products, as announced in December 2019. Subsidiary databases were not affected.
“The information held by Desjardins suggests that the personal information of 4.2 million banking members who had active accounts at the time may have been disclosed to a third party. There is nothing that confirms that the ex-employee shared anyone else’s personal information with third parties. Desjardins began offering protection to all of these individuals in December 2019.”
Desjardins said it has “made great strides in information security over the past 18 months and will continue to apply international best practices”.
It said will continue to work with other partners to create a digital identity platform for Canadians, which allow information to be shared more securely and give people more control over their own information.
Steps taken to improve security after the breach include the creation of a security office for the entire group in December 2019 – with an investment budget of more than CA$150m (£87m, which will increase to more than $250m (£146m) next year. It brings together nearly 900 experts in cybersecurity, fraud prevention, personal information protection, anti-money laundering and financial crimes, from teams across four executive divisions.
A chief data officer was appointed to oversee information security, data security and data warehousing best practices.
New measures have been brought in to cover data retention timeframes, data monitoring, restrictions on date use and extraction, and data loss prevention.
“Desjardins Identity Protection remains one of the best available protection programmes in Canada,” the organisation added. “The Office of the Privacy Commissioner of Canada has stated that Desjardins Identity Protection provides substantially better protection than what has been offered by other organisations after major breaches.”
