The Privacy Commissioner of Canada has determined that the Desjardins data breach was caused by a series of safeguards gaps.
The incident took place in June 2019 after an employee leaked names, home addresses, social insurance numbers, email addresses, birth dates and data about users’ transaction habits.
Privacy Commissioner Daniel Therrien has concluded that Desjardins failed to implement its policies to manage personal information properly and that its databases’ data segregation was inadequate.
Therrien also found that employee training was lacking and that Desjardins did not implement retention periods regarding the destruction of personal information.
“Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” Therrien said in a news release.
“The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the mitigation measures offered to those affected and the commitments made by Desjardins.”
The report says that Desjardins was aware of some of the security weaknesses that led to the breach and had created a plan to solve them. The company, however, did not address the issues in time to prevent the breach.
“Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police,” the commissioner’s report notes.
For at least 26 months, a malicious employee was withdrawing sensitive information collected by Desjardins from customers who had purchased products offered by the organization.
The report outlines that following the investigation, Desjardins has agreed to a series of recommendations to improve its security and the protection of personal information, including its data destruction practices.