Canadian financial institution Desjardins reported a data breach that compromised the personal information of 2.7 million customers and 173,000 businesses.
The compromised data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories. The breach was reportedly the result of employee misconduct. Investigators believe an employee sold the data on the dark web. Evidence of fraudulent credit cards opened in customer names has been reported.
“This is a very serious situation,” said the Autorité des marchés financiers (AMF), an organization responsible for financial regulation in Québec in a statement.
“The AMF is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members. It remains confident that the institution's officers have handled the situation with due rigour, transparency and speed and that the cooperation provided to law enforcement is full and complete,” it added.
Desjardins and its CEO were criticized following complaints by affected customers that registration for the five years of free credit monitoring offered by the company was difficult, with reports of crashed websites, long wait times on the phone, and limited support in French. After finding that only 13% of customers had signed up for the service, Desjardins expanded the service, offering lifelong identity theft protection for all of its clients, including those unaffected by the breach.
The Office of the Privacy Commissioner and the Québec Access to Information Commission have announced a joint investigation into the breach to determine if Desjardin was compliant with consumer protection regulations at the provincial and federal levels.
Read more about the story here.