Joint investigation launched into Desjardins data theft

MONTREAL -- A pair of privacy watchdogs have launched an investigation after a data breach at Desjardins Group that affected nearly three million members.

The Office of the Privacy Commissioner of Canada and its Quebec equivalent said the probes will examine whether Desjardins was in compliance with federal and provincial laws around personal information protection.

The financial co-operative operates mainly in Quebec, where it is subject to provincial law, but falls under federal privacy rules for its activities elsewhere in Canada.

A pair of class-action lawsuits were initiated last month that allege the organization either violated its members' privacy rights or showed negligence in safeguarding their personal and financial information.

The accessed data includes social insurance numbers, names and addresses of 2.7 million individual members and 173,000 business members.

Desjardins spokesman Jean-Benoit Turcotti said the organization was alerted to the investigation Monday and planned to co-operate with authorities.

Turcotti declined to comment on possible penalties that could result from the probe.

The two privacy watchdogs have collaborated before, including after hackers posted personal details on millions of customers -- including names, credit card numbers and sexual preferences -- gleaned from cheaters' dating website Ashley Madison, based in Canada.

Desjardins chief executive Guy Cormier said last month a lone suspect "acted illegally, betraying the confidence of Desjardins" in a "malevolent" act that was first detected in December.

The organization offered to pay for a credit monitoring plan and identity theft insurance for five years.

The security breach is among the biggest in Canada to come about internally, rather than via external cyberattacks, in recent years.

The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.

In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline's mobile app.

In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte and Walmart.