The federal privacy watchdog uncovered a series of technological and administrative vulnerabilities that caused a high-level data breaches at Desjardins – the largest ever in the financial services sector of Canada.
In a report today, privacy commissioner Daniel Therrien said Desjardins had failed to demonstrate the level of attention needed to protect sensitive personal information entrusted to its care.
The incident compromised the data of nearly 9.7 million Canadians, the commissioner’s report says.
“Canadians expect banking information to have a high level of protection, given its sensitivity,” Therrien told a news conference.
“We recognize that’s easier said than done for a financial institution given the amount of personal data it owns and the level of complexity of its systems. However, an organization such as Desjardins has the means to comply with the law.”
For at least 26 months, a rogue employee was siphoning sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization, Therrien found.
For some, the data included first and last names, dates of birth, social insurance numbers, street addresses, telephone numbers, email addresses and transaction histories.
This information was initially stored in two data warehouses for which the employee had limited access.
However, other employees, in the process of completing their work, will often copy that information to a shared memory. Therefore, employees who do not have the necessary documents can also access this information.
An investigation found that Desjardins did not meet some of its obligations under federal privacy laws. The company has agreed to a series of recommendations to improve information security and protect personal data.
In addition, the company is committed to providing quarterly progress reports as well as hiring outside auditors to test its programs.
This post is also available in: Tiếng Việt