The data security breach that affected Desjardins Group in June 2019 was undoubtedly the most monumental event of its kind in Quebec to date.   

Using simple USB sticks, an employee managed to steal the personal information of 4.2 million members. The fraud shook the organization to its foundation and sent shockwaves throughout the province.

“The event at Desjardins was a brutal wake-up call, an opportunity we must certainly seize,” president Guy Cormier told a parliamentary committee in Quebec City on Nov. 21. Grilled by politicians about this affair, he pointed out that internal fraud is the most difficult to combat, although the Group claims to have invested $70 million per year in IT security and cybersecurity.

The suspect had been working with Desjardins’ databases for several years. He bypassed the security parameters. This tactic, a Group expert insists, cannot be repeated. In the wake of this massive theft, Desjardins claims to have created new protection that is unparalleled in Canada, in record time.

Although Desjardins has reinsurers, this incident incurred a steep cost for the cooperative: the Group set aside a provision of $70 million in the second quarter, $40 million for protection for Desjardins Members and $30 million for Equifax service, plus legal expenses, for a total of nearly $150 million.

About 28 million Canadians affected

Data theft has become a global scourge, Cormier told the parliamentarians. Organizations are playing cat and mouse with the hackers. Each year, the Quebec multinational CGI discusses cybersecurity with 5,500 clients around the world, he said. In 2019, 20% of its clients said they had no plans to improve the security of the personal data they manage, and 20% said they want to invest in this domain but do not know what guidelines to use.

The Office of the Privacy Commissioner of Canada reports that 28 million Canadians were affected by data theft last year. Cormier adamantly objects to his Group being singled out. He emphasized that except for European Union countries, the vast majority of OECD nations are lagging far behind in their response to the pressing challenge of protecting personal information.

AMF sounded the alarm back in 2013

Autorité des marchés financiers CEO Louis Morisset, told Parliament that his organizations sounded the alarm about cyber risks and cyberattacks in back 2013. 

The AMF had asked 80 financial institutions, including Desjardins, to complete a 78 question self-evaluation survey. The respondents said they were aware of the threats and that they had taken measures to improve their practices and preparedness. The AMF also stepped up its own monitoring of financial institutions’ cyberattack risk.

The organization confirms that Desjardins informed it of the fraud incident within hours. Morisset says he is satisfied with the measures that the Group has taken to protect its members and their assets. AMF will have full access to the analysis and the action plan that Desjardins will produce following the data theft, and says it will keep a close watch to ensure their implementation within the specified timetable.