Today, Desjardins, Canada's largest credit union and one of the world's biggest banks, announced a security breach caused by a former employee.
In a statement posted on its website, the bank said a bank employee had taken the data of 2.9 million members (2.7 million home users and 173,000 businesses and associated contacts) from its database, without authorization.
The bank said it fired the employee after learning of the incident from Quebec police last week, on Friday, June 14.
No passwords or card numbers exposed
Desjardins said that only personally-identifiable information (PII) was taken from its system, but not any e-banking passwords, security questions, account PINs, and credit and debit card numbers.
For home users, the exposed information included first and last name, date of birth, social insurance number, address, phone number, email address, and details of banking habits and Desjardins products.
For business customers, the exposed information included business name, business address, business phone number, owner's name and names of users on the AccèsD Affaires account.
The bank said it's working with local law enforcement on the case.
It also said it has started notifying impacted customers of the breach, and all affected individuals and businesses will receive breach notification letters in the coming days.
The bank went above and beyond to what similar organizations do in these cases. Besides providing paid-for credit monitoring services for all impacted customers, Desjardins also changed the procedures through which its staff confirms the identity of its customers, in person or over the phone, so the stolen data can't be used against impacted users.
"Other measures have also been put in place, but these must remain confidential to ensure their effectiveness," Desjardins said.
Article updated shortly after publication with information disproving Desjardins' claims that this incident marked the company's first data breach.