The personal information of more than 2.9 million Desjardins Group members, including 173,000 businesses, may have been sold to a criminal group outside of Canada, according to a media report.
Last month, the Quebec-based financial institution said an employee who has since been fired illegally shared names, birthdates, social insurance numbers, addresses, phone numbers, email addresses and transaction patterns with individuals outside of the organization.
Le Journal de Montréal reported on Friday that the former employee suspected of leaking the information “would have managed to sell at least part of his loot to criminal groups.”
Citing unnamed police sources, Le Journal de Montréal said the suspect “would have had communications with no less than a dozen individuals who were closely or indirectly related to different criminal groups.”
The tabloid newspaper said the parties believed to be in possession of the data are likely “fragmenting” it so it can be sold in smaller pieces.
Desjardins is under examination by federal and Quebec authorities as a result of the data theft. The company has promised a five-year credit monitoring plan with identity theft insurance to members impacted by the breach.
"I'd like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud,” Guy Cormier, president and CEO of Desjardins Group, said in a statement on June 20. “If they suffer a financial loss as a result of this situation, they will get their money back."
The House of Commons standing committee on public security will hold a hearing on the Desjardins data breach next Monday.