Today, Desjardins, Canada's largest credit union and one of the world's biggest banks, announced a security breach caused by a former employee.
In a statement posted on its website, the bank said a bank employee had taken the data of 2.9 million members (2.7 million home users and 173,000 businesses and associated contacts) from its database, without authorization.
The bank said it fired the employee after learning of the incident from Quebec police last week, on Friday, June 14.
No passwords or card numbers exposed
Desjardins said that only personally-identifiable information (PII) was taken from its system, but not any e-banking passwords, security questions, account PINs, and credit and debit card numbers.
For home users, the exposed information included first and last name, date of birth, social insurance number, address, phone number, email address, and details of banking habits and Desjardins products.
For business customers, the exposed information included business name, business address, business phone number, owner's name and names of users on the AccèsD Affaires account.
The bank said it's working with local law enforcement on the case.
It also said it has started notifying impacted customers of the breach, and all affected individuals and businesses will receive breach notification letters in the coming days.
First breach in the bank's history
The bank went above and beyond to what similar organizations do in these cases. Besides providing paid-for credit monitoring services for all impacted customers, Desjardins also changed the procedures through which its staff confirms the identity of its customers, in person or over the phone, so the stolen data can't be used against impacted users.
"Other measures have also been put in place, but these must remain confidential to ensure their effectiveness," Desjardins said.
Article updated shortly after publication with information disproving Desjardins' claims that this incident marked the company's first data breach.
More data breach coverage:
- Evite e-invite website admits security breach
- EatStreet food ordering service discloses security breach
- Ad agency leaks data on US military veterans' combat injuries
- Equifax breach impacted the online ID verification process at many US govt agencies
- AMCA data breach has now gone over the 20 million mark
- Meds prescriptions for 78,000 patients left in a database with no password
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- The largest cybersecurity breaches of the past three years TechRepublic