The mass data breach at Desjardins — the largest ever in the Canadian financial services sector — was caused by a series of gaps in the Quebec company’s security setup, according to a new investigation by the federal and Quebec privacy commissioners.
“Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” Daniel Therrien, the privacy commissioner of Canada, wrote in a release published this morning.
“The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach.”
The report says the breach compromised the data of nearly 9.7 million Canadians.
For at least 26 months, a “malicious” employee copied sensitive personal information collected by Desjardins from customers who had bought or received products offered directly or indirectly by the organization, the report says.
The probe found a series of gaps in the company’s administrative and technological safeguards.
“Desjardins had recognized some of the security weaknesses that ultimately led to the breach and had developed a plan to remedy them. Nonetheless, it failed to rectify the issues in time to prevent what happened,” said Therrien.
“Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police.”
However, Therrien said he is satisfied with the mitigation measures Dejardins offered to the affected customers after the breach.