Desjardins Group president and chief executive officer Guy Cormier, seen here in Montreal on Nov. 1, 2019, added that co-operative officials do not believe the data of the non-member customers was stolen or otherwise leaked.Graham Hughes/The Canadian Press
Desjardins Group is expanding its identity-protection plan to cover all of its eight million customers in the wake of one of the largest known Canadian financial service data leaks.
The Quebec-based banking and insurance co-operative announced Tuesday that the rogue employee who allegedly stole information on 4.2 million members also had access to personal information on an additional 1.8 million non-member customers with loans and credit cards.
Desjardins Group president and chief executive officer Guy Cormier added that co-operative officials do not believe the data of the non-member customers was stolen or otherwise leaked.
“They were not stolen. This ill-intended employee had access to this information but they were not stolen,” Mr. Cormier said. “No cards were compromised, there was no information related to passcodes or payments.”
Desjardins is adding the credit-card customers and another two million insurance and wealth-management customers to its free identity-theft and fraud-insurance program. The rogue employee had no access to wealth-management or insurance databases so their information should be safe, Mr. Cormier said. “We’re adding the protection to all clients and members because zero risk does not exist any more,” he added.
Last June, Desjardins disclosed an employee had leaked the personal information of 2.9 million members, including names, birthdates and social insurance numbers. Last month, the tally was raised to include all 4.2 million members. The rogue employee was fired and a police investigation is continuing.
Desjardins has not revealed how much extra it is spending on customer protection and compensation, nor how many people have suffered identity thefts because of the leak. Mr. Cormier said identity theft is so common in Canada it is nearly impossible to attribute any individual case of stolen identity to the Desjardins data leak.
The company severed ties with two senior executives on Monday after a review of the security breach.