DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019

Posted on December 14, 2020 by Dissent

From the moment it was disclosed, it seemed clear that the  Desjardins breach of 2019 that involved a rogue employee was going to cause big trouble for Desjardins. And sure enough, in one day, they were hit with two potential class action lawsuits. Desjardins subsequently announced they were expanding the mitigation services being offered, but regardless of that offer, the Quebec and federal privacy commissioners announced days later that they were jointly investigating the breach. And as 2019 drew to a close, Desjardins had to announce that 1.8 million credit card holders may also have been impacted.

As 2020 draws to a close, the Privacy Commissioner of Canada has issued their report.  From the overview:

  1. On May 27, 2019, the Fédération des caisses Desjardins du Québec (“Desjardins”) notified the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) of a breach of security safeguards that ultimately affected close to 9.7 million individuals in Canada and abroad. The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. The number of individuals affected includes individuals whose personal information a malicious employee was able to access and/or exfiltrate.
  2. Desjardins also informed Quebec’s Commission de l’accès à l’information (the “CAI”) and other regulators of the fact that there were individuals within their jurisdictions that were affected by the incident.
  3. The OPC and the CAI launched investigations into this matter. To coordinate their efforts, the two Offices signed a collaboration arrangement on July 25, 2019.
  4. Desjardins concluded that the breach had been committed by one of its employees, who had been exfiltrating personal information over a period of at least 26 months. This raises the question as to whether Desjardins’ security safeguards were appropriate and whether it met accountability requirements with respect to the personal information entrusted to it. Given the age of some of the information compromised in the incident, the OPC also reviewed Desjardins’ data destruction practices.
  5. Our investigation concluded that Desjardins contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”)’s principles with regard to accountability, retention periods, and security safeguards. This report contains recommendations to Desjardins to address the contraventions found.

You can read the findings and the recommendations OPC made to Desjardins — recommendations that Desjardins reportedly agreed to.   From the report’s conclusion:

  1. In view of all the above, we consider the complaints to be well-founded and conditionally resolved.
  2. The OPC will monitor Desjardins’ progress on its implementation of our recommendations.

Whether this report has any impact on the civil litigation remains to be seen.

Related posts:

  • Desjardins reaches $200M class action settlement in wake of data breach
  • Canadian Privacy Commissioner troubled by poor computer disposal practices and lack of controls for wireless devices in government
Category: Commentaries and AnalysesFinancial SectorNon-U.S.Of Note

Post navigation

← New York State warns motorists of phishing scam asking for personal information
Norwegian Cruise Company Hurtigruten Experiences Cyber Attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.