The Organization
Desjardins Group is North America’s largest credit union federation and one of Canada’s most prominent financial cooperatives, with over 7.5 million members and nearly $400 billion in total assets. Headquartered in Lévis, Quebec, Desjardins provides banking, insurance, wealth management, and business financing products across Canada.
By every measure, Desjardins was a major, well-resourced financial institution with a substantial information security budget. It was not a small credit union operating on a shoestring.
What Happened
Between October 2016 and May 2019 — a span of at least 26 months — a Desjardins marketing department employee named Sébastien Boulanger-Dorval systematically exfiltrated sensitive personal and financial information from Desjardins’ internal data warehouses. The stolen data included first and last names, dates of birth, social insurance numbers (SINs), residential addresses, telephone numbers, email addresses, and detailed transaction histories.
The data was not stolen through a sophisticated exploit or zero-day vulnerability. The employee simply had access — authorized access — to data warehouses that were not properly segmented. While Desjardins’ banking data warehouse had been segmented to restrict access to confidential information, its credit data warehouse had no such controls. Any employee with warehouse access could view everything stored there.
Making matters worse, marketing employees with sufficient access rights were regularly copying confidential information from both warehouses to a shared marketing drive. Once transferred to this shared drive, employees who did not have authorization to access the original warehouses could access the data freely. The exfiltration went undetected for over two years, and Desjardins only became aware of the breach after being notified by police — not through any internal detection mechanism.
The stolen data was ultimately sold. According to media reports and investigators, the employee sold lists of Desjardins members’ personal information to a private lender. That information was then forwarded to a mortgage broker and an investment advisor, one of whom reportedly admitted to paying $40,000 for the data.
The Impact
Scale: 9.7 million individuals affected — including both active and inactive members. Of the total, approximately 4 million records belonged to people whose accounts had already been closed, raising serious questions about data retention practices.
Direct Costs: Desjardins publicly reported that the breach cost $108 million in direct expenses, including forensic investigation, credit monitoring for affected members, legal costs, and security remediation.
Settlement: In June 2022, the Superior Court of Quebec approved a class action settlement of CA$201 million — the largest data breach settlement in Canadian financial services history. Affected individuals could claim up to $90 for lost time and up to $1,000 if their identity was stolen.
Regulatory Findings: A joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and Quebec’s Commission d’accès à l’information concluded that Desjardins violated PIPEDA requirements in three areas: accountability, data retention, and security safeguards. The Privacy Commissioner stated that Desjardins “did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
Ongoing Remediation: Desjardins created a Group Security Office with a $250 million annual budget, appointed a Chief Data Officer, and committed to making its security environment one of the most robust in the financial industry.
Root Causes — What Went Wrong
1. Insider Threat Was Not Treated as a Real Risk
The OPC’s investigation found that prior to 2019, Desjardins invested a significant portion of its security budget fighting external threats. The internal threat — from trusted employees with legitimate access — was not adequately addressed. The OPC noted that “the absence of a culture of vigilance against internal threats significantly contributed to the breach.”
Desjardins had a trusting corporate culture, which is admirable. But trust without verification is a vulnerability. The malicious employee was described as “a skilled and high-performing employee” and “a key resource for many of his colleagues.” Nobody suspected him — because nobody was designed to suspect anyone.
2. Data Warehouses Lacked Proper Access Segmentation
The credit data warehouse — containing some of the most sensitive information Desjardins held — was not segmented. Any employee with access could view all data stored there, regardless of whether their role required access to sensitive personal information. The principle of least privilege was not enforced.
3. Data Was Being Copied to Shared Drives Without Controls
Marketing employees routinely copied confidential data from secured warehouses to shared drives as part of normal business operations. Once on the shared drive, access controls from the source system no longer applied. This created a secondary, unmonitored copy of sensitive data that was accessible far more broadly than intended.
4. No Data Loss Prevention (DLP) or Behavioural Monitoring
There was no mechanism in place to detect that an employee was systematically exporting large volumes of sensitive data over a 26-month period. No DLP rules flagged the movement of SINs or financial records to unauthorized destinations. No user behaviour analytics (UBA) detected the anomalous access patterns.
5. Excessive Data Retention
Nearly half of the affected records — approximately 4 million — belonged to people who were no longer active Desjardins members. Their data was still being stored in accessible warehouses years after their accounts had closed. Had Desjardins enforced data minimization and retention policies, the blast radius of the breach would have been dramatically smaller.
What AlecTech Would Have Done Differently
This case study is not about hindsight criticism of Desjardins — it’s about extracting lessons that every Canadian financial institution, credit union, and wealth management firm should apply today. Here is how AlecTech’s service stack directly addresses each root cause:
Access Governance and Least Privilege (Managed IT + VCISO)
AlecTech implements role-based access control (RBAC) across every managed environment. Access to sensitive data is granted based on job function and reviewed quarterly. When we onboard a managed IT client, one of our first actions is auditing who has access to what — and revoking everything that isn’t explicitly justified. Our VCISO service establishes the governance framework that ensures access reviews don’t happen once and get forgotten.
Data Loss Prevention (MDR & SOC)
Our SOC deploys DLP policies that monitor for the movement of sensitive data — SINs, financial records, health information — across email, cloud storage, USB devices, and shared drives. When an employee copies 10,000 records containing SINs to a marketing folder, our systems flag it. The Desjardins breach went undetected for 26 months because nobody was watching for it. Our SOC watches for exactly this.
User Behaviour Analytics (MDR & SOC + Themis)
Our Themis platform and SOC monitoring include behavioural baselines for user activity. When an employee who normally accesses 50 records per day suddenly exports 50,000, that deviation triggers investigation. Insider threats are harder to detect than external attacks precisely because the access is legitimate — but the pattern is not. Behavioural analytics catch the pattern.
Data Retention and Minimization (VCISO + Regulatory Compliance)
Our VCISO service includes policy development for data retention and minimization. We work with clients to define retention schedules by data type, enforce deletion of records that have exceeded their retention period, and ensure that inactive customer data isn’t sitting in accessible warehouses indefinitely. Four million records of former members should never have been available to any employee.
Security Awareness and Insider Threat Culture (Security Awareness)
Desjardins had a trust-based culture without verification mechanisms. Our security awareness program includes insider threat awareness training — helping employees and managers recognize the signs of data misuse, understand reporting procedures, and accept that verification is not a sign of distrust but a professional responsibility.
The Numbers That Matter
| Metric | Desjardins Impact |
|---|---|
| Records compromised | 9.7 million individuals |
| Duration of breach | 26+ months (undetected) |
| How it was discovered | Police notification (not internal detection) |
| Direct costs | $108 million (Desjardins-reported) |
| Class action settlement | CA$201 million |
| Inactive records exposed | ~4 million (accounts already closed) |
| Privacy Commissioner finding | PIPEDA violations in accountability, retention, and safeguards |
| Annual security budget created post-breach | $250 million |
Key Takeaway
The Desjardins breach was not caused by a sophisticated nation-state attack. It was caused by a trusted employee with too much access, in an environment with no insider threat monitoring, no data loss prevention, and no data retention enforcement. Every one of these failures is preventable with the right controls, the right monitoring, and the right governance.
post comments
Together We Rise: A Campaign for Everyone
