Montreal, June 20, 2019 - On June 14, 2019, the Laval police contacted Desjardins with information confirming that the personal information of more than 2.9 million members had been shared with individuals outside the organization. This includes 2.7 million individual members and 173,000 business members. This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired. In light of these events, and given the circumstances, additional security measures were put in place on all accounts. Desjardins Group will be sending a letter to all members affected by the incident.
Personal members may have had the following information affected: first and last name, date of birth, social insurance number, address, phone number, email address and details about your banking habits and Desjardins products. Crucially, passwords, security questions, and PINs (personal identification numbers) were not compromised. This incident was not a cyberattack. Desjardins computer systems were in no way breached during this incident, which was the result of illegal acts committed by the above-mentioned former employee.
Our investigations show that information about business members was among the affected data. This includes identifying information, such as business names, addresses, telephone numbers, and the names of owners and AccèsD Affaires account users. Some information about owners or AccèsD Affaires users may have also been affected. If that is the case, these people will receive a letter informing them of the situation.
Protecting members and clients
Desjardins would like to reassure its members and clients that it has hired experts, is working closely with the Laval police, and has implemented additional security measures to protect its members' and clients' personal information, accounts and assets.
"I'd like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud. If they suffer a financial loss as a result of this situation, they will get their money back. We regret this situation and are making every effort to ensure that it doesn't happen again," said Guy Cormier, President and CEO of Desjardins Group.
Members will also notice that the procedures for confirming their identity in person and over the phone have been improved. Other measures have also been implemented but these must remain confidential to ensure their effectiveness.
As a precaution, Desjardins will also offer affected members a credit monitoring plan and identity theft insurance for 12 months, paid for by Desjardins. These members will be contacted directly, and an activation code will be included in the letter they receive.
Members and clients who have questions or concerns can contact Desjardins at 1-800-CAISSES (1-800-224-7737), from 9:00 a.m. to 9:00 p.m., seven days a week. In order to provide the best support possible to affected members, Desjardins is asking anyone who has not received a letter informing them they've been affected to instead visit www.desjardins.com/personal-information for more information.
In addition to the security measures taken by Desjardins, members are encouraged to adopt good habits to ensure their assets, transactions and personal information remain secure. For example:
- Report any suspicious transactions in accounts
- Never click links or open attachments in unsolicited emails and text messages
- Use secure WiFi connections when making online purchases or checking bank accounts.
- Be suspicious of any emails or text messages asking for personal information.