Desjardins knew his vulnerability, but did nothing

Three new investigations flay the Desjardins Group on the protection of the personal information of its clients before the massive leak revealed in June 2019. The Office of the Privacy Commissioner of Canada, the Commission Access to Information of Quebec and the ‘Autorité des marchés financiers have all denounced the lack of prudence of the cooperative financial group.

The theft of personal data to which Desjardins was a victim is the worst crisis that Guy Cormier has had to go through since his arrival as President of the Desjardins Group.

© Ivanoh Demers / Radio-Canada
The theft of personal data to which Desjardins was a victim is the worst crisis that Guy Cormier has had to go through since his arrival as President of the Desjardins Group.

Although Desjardins was informed of the threat, she did not act diligently», Said the president of the Commission of access to information of Quebec, Diane Poitras. Its investigation reveals that an employee’s copying of data to USB drives was a “vulnerability that had already been identified“.

The Privacy Commissioner of Canada, Daniel Therrien, is of the opinion that the security measures were “more importantFor both external and internal threats. “This, according to him, is one of the lessons for other companies. Insider threats should not be overlooked.

The employee in question worked in the marketing department of Desjardins. His rights to access databases did not normally allow him to obtain the personal information he was able to steal.

This information was in directories shared by all employees of the marketing team, contrary to what Desjardins guidelines provide.”, We can read in the report of the Commission of access to information of Quebec.

The rest is known: the employee was able to potentially transfer, onto USB keys, the financial and identity profiles of 9.7 million people in Canada and abroad, including nearly 7 million Quebecers, for 26 months from January 2016, before Desjardins was notified by the police.

Among the possible victims of the leak, 4 million people were no longer members or customers. “Some of the inactive accounts were several decades old», Underlined Daniel Therrien. Their information should have been destroyed. He adds that the institution was after all “too slow to react“. In short, the largest security breach in Canadian banking history can be attributed to a “set of administrative and technological gaps“.

The two organizations conclude that Desjardins did not comply with several obligations imposed by the laws in force, but it will not suffer any further consequences.

Video: Personal data: the AMF orders Desjardins to do better (Le Devoir)

Personal data: the AMF orders Desjardins to do better

  • Our columnist Konrad Yakabuski's reading listOur columnist Konrad Yakabuski’s reading list

    Le Devoir Logo: Le Devoir smallFaviconThe duty

  • Canada to receive first doses of vaccine next weekCanada to receive first doses of vaccine next week
    Canada will receive 249,000 doses of the Pfizer-BioNTech vaccine during the month of December, pending approval by Health Canada. Prime Minister Justin Trudeau has announced that the first deliveries could arrive as early as next week. “This news means that we can get ahead of our vaccination plan,” said the Prime Minister. Before the first Canadian is inoculated, however, the vaccine must get the green light from authorities, who are also currently reviewing vaccines from Moderna, AstraZeneca and Johnson & Johnson. Pfizer-BioNTech vaccines will be dispensed in 14 distribution sites located in the country’s main urban centers. These centers are preparing to first vaccinate the priority groups identified by the government. Under agreements with the Canadian government, millions of doses of the Pfizer-BioNTech vaccine are expected in early 2021.

    Le Devoir Logo: Le Devoir smallFaviconThe duty

  • Flood of visitors in the orange zone in Saint-SauveurFlood of visitors in the orange zone in Saint-Sauveur
    While Quebec is recording records for new COVID-19 infections, Saint-Sauveur establishments are overheating. The mayor of this village in the Laurentians is demanding police roadblocks to stem the flow of tourists from the red zones. Despite the grievances of a large number of its citizens, the municipality of Saint-Sauveur is the most accessible destination for Montrealers. “I ask the Government of Quebec to legislate, to help us, Saint-Sauveur. Either by setting up roadblocks, or by allowing the police of the Sûreté du Québec to issue tickets to those from the red zones who come to our restaurants, ”implored Jacques Gariépy, in an interview with Le Devoir. On Saturday, his town on the border of the orange zone was once again stormed by tourists from the red zones. Almost all establishments were fully booked for dinner. By the way, a waiter admits that his regular clientele is “quite frustrated” with the crowd of tourists from the red zone. “I’m sure we’re going to have to shut down too if things continue the same,” he explains. “If the government doesn’t help us, it’s only a matter of time before everything is shut down. I find it easy, to say we let Saint-Sauveur go until it turns red, ”laments the mayor.

    Le Devoir Logo: Le Devoir smallFaviconThe duty



In fact, the federal law on the protection of personal information and electronic documents and the provincial law on the protection of personal information in the private sector are currently the subject of legislative reform in Ottawa and Quebec to tighten the requirements and regulations. penalties. Up to $ 25 million in fines are foreseen in the two reforms.

Security measures do not go far enough yet

The Autorité des marchés financiers also unveiled the findings of its own investigation on Monday. She “orders Desjardins to put in place a series of corrective measures as well as robust internal control mechanisms to effectively mitigate the risks of operational incidents […] and to respect its legal obligations to follow sound and prudent management practices“.

The regulatory body recognizes that Desjardins has implemented various measures to “increase its overall level of maturity in terms of information security and the protection of personal information“.

These measures still seem insufficient, since they “must go even further in order to fully meet its requirements and meet the best practices observed in systemically important financial institutions“.

Gardens “takes note” investigations

In a press release, the Desjardins Group says it takes note of the results of the three investigations and assures that it has “significantly strengthened its position in terms of safety“And specifies that, according to his information,”this is the information of 4.2 million members out of the total of 9.7 million people that would have been transmitted to third parties“.

A security office with a budget of 150 million dollars was set up at the end of 2019; it would be increased to over 250 million next year.

Asked to comment in more detail on the conclusions of the investigations, the financial group said that no leader will grant an interview on the subject.

Moreover, the investigation by the Sûreté du Québec in this case has so far not led to any arrest or accusation.

Leave A Reply

Your email address will not be published.