According to the Canadian Privacy Commissioner, Daniel TherrienDesjardins did not show the appropriate level of attention required for protection of the sensitive personal information entrusted to her care ”.
"Customers and members of the organization, as well as all citizens, were justifiably shocked by the scale of this data breach"
An employee was to blame for the incident
According to the investigation, the violation set in risk the data about 9,7 million Canadians. The accounts included seven million customers from Quebec, she said Diane Poitras, Chairman of the Quebec Commission.
For at least 26 months, a "malicious" employee was able to copy sensitive personal information collected by Desjardins from customers who had purchased or received products offered directly or indirectly by the organization, the report said.
The information were originally stored in two data warehouses to which the employee had limited access. However, other employees, as part of their job, regularly copy this information to a shared drive. As a result, employees who normally did not have the required permissions to access some of the confidential data were able to do so.
Speaking to reporters, Therrien called it unacceptable that a company the size of Desjardins did not have the capacity to prevent the breach.
"Canadians expect banking information to have a high level of protection, given their sensitivity," he said.
"Desjardins has identified some of the security vulnerabilities that ultimately led to the breach and has developed a plan to address them. However, it failed to rectify the issues in time to prevent what happened, "said Therrien.
"Furthermore, the breach occurred more than two years before Desjardins discovered it, which only happened after the organization was notified by the police."
However, Therrien said he was pleased with the mitigation measures Desjardins offered to affected customers after the breach. In a statement, the company said it would work in the coming years to create what it called a digital identity platform. The company said this would allow information to be shared more securely and give people more control over their own data.