Desjardins had a “series of gaps” in its systems that failed to meet the requirements under Canada’s privacy act to protect 9.7 million Canadians after a data breach, Canada’s privacy watchdog says following an investigation.
The investigation’s results, released today, said the financial services cooperative did not have proper policies and procedures for managing personal information; access controls and data separation was inadequate; employee training and awareness were lacking; and the bank did not put a retention period or procedure with respect to the destruction of personal information.
“Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” Daniel Therrien, Canada’s privacy commissioner, said in a release.
“The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the migration measures offered to those affected and the commitments made by Desjardins.”
The data breach took place last summer, when an employee leaked names, addresses, social insurance numbers, birth dates, email addresses, and information about users’ transaction habits. At the time, Desjardins confirmed that it had not been a target of a cyberattack and that the employee had been fired.
Desjardins did recognize some of its security weaknesses, the release said, but “failed to rectify the issues in time to prevent what happened.”
“Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police,” the release said.
Therrien said in a press conference that large corporations, like Desjardins, have the necessary resources to be able to make changes to protect Canadians. He added it was unacceptable that they not do so.
“You have the means to protect the personal information of Canadians, and you need to do that,” he said. “I think one of the most problematic issues that we’ve seen here was that Desjardins knew that it had vulnerabilities.”
Therrien said under current privacy law, companies that don’t report breaches to his office or to affected parties will face monetary penalties. In the case of Desjardins, Therrien said that no fines were imposed as the company reported the breach to his office and to affected parties.
However, he said under the new proposed privacy law put forth by the Liberals, companies will “expose themselves to monetary penalties” not only if they fail to inform the commissioner, but also for not adopting the safeguards that are necessary to protect information.
He added that while his office won’t be able to impose the fines, it will be able to recommend the imposition of fines to a new tribunal that will determine final decisions on penalties.