4.2 million Desjardins members affected by data breach, credit union now says

Desjardins Group says the theft of member data announced in June is far larger than initially thought and affects all 4.2 million members of the credit union.

Still only single suspect in breach as investigation led by Quebec provincial police continues

Guy Cormier, president and CEO of Desjardins Group, speaks during a news conference in Montreal Friday, explaining the data theft is much larger than first thought. (Ivanoh Demers/Radio-Canada)

Desjardins Group says the theft of member data announced in June is far larger than initially thought, affecting all 4.2 million individual members of the credit union.

The organization initially said the breach affected around 2.7 million people and 173,000 businesses, more than 40 per cent of the co-operative's clients and members.

"We're not announcing a new breach," Guy Cormier, president and CEO of Desjardins Group, said Friday at a news conference in Montreal. "This is an update on the same breach perpetrated by a malicious employee."

The credit union said the Sûreté du Québec (SQ), Quebec's provincial police force, had informed them a day earlier that the number affected had grown to 4.2 million "individual members" in Quebec and Ontario. This is the entirety of Desjardins' personal-banking clientele, the organization confirmed.

"There is no information at this time about whether or not more business members have been affected," Desjardins said in a statement.

There is still only a single suspect, the statement said, citing information shared by the SQ. No one has been charged.

The list of personal information leaked included names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits.

"As we said in June, passwords, identification questions and secret codes were not compromised by the data breach," Cormier said.

Desjardins is offering members a five-year credit monitoring service from Equifax, paid for by the co-op.

A member of a Quebec opposition party said the provincial government had praised Desjardins' crisis management even as 'millions of members were unaware that the leak was affecting them.' (Ivanoh Demers/Radio-Canada)

Cormier said there has not been a spike in fraud cases, either before or after the privacy breach was first announced on June 20. 

"Since the privacy breach was first announced, we've made it clear that we intended to enhance the Desjardins identity protection service," he said.

Quebec opposition parties renew call for action

When the breach was announced in June, Quebec's opposition parties called for a commission to look into banking practices and personal information in the province. At the time, Quebec Premier François Legault said he had faith in Desjardins' management to deal with the issue.

With the impact of the breach now much broader than originally thought, Québec Solidaire MNA Vincent Marissal noted in a statement Friday that the Legault government's praise of Desjardins' crisis management came while "millions of members were unaware that the leak was affecting them."

In a separate statement, Martin Ouellet, the Parti Québecois finance critic, called it "an exceptional situation" with more than half the province now affected. 

"The CAQ government must reconsider its decision … and move quickly with the establishment of a parliamentary commission to deal with this issue, as we have already repeatedly demanded," he said.

At a news conference Friday afternoon, Quebec Finance Minister Éric Girard acknowledged that "it would have been preferable if there was no data stolen and if it had been detected earlier."

But he said Desjardins' response was satisfactory.

"What's most important for Quebecers is that their assets are protected," he said. "There's prevention of fraud, and in the case of identity theft, there will be significant help. It means [Desjardins] are dealing with the situation adequately." 

Revised numbers came after September warrants

In an update on the investigation in September, the SQ said it was questioning 17 people in connection with the data breach. At the time, SQ Sgt. Claude Denis said the interrogations followed the execution of six search warrants at four residences and two businesses in Laval, Que., Montreal and Quebec City. 

Most of the people the SQ spoke with had tried to acquire the breached data, or parts of it, Denis said

Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario.