OTTAWA – A parliamentary committee is grappling with the consequences of a major data breach at Desjardins Group.
The breach, revealed in June, affected roughly 2.7 million people and 173,000 businesses.
Desjardins Group said names, addresses, birthdates, social-insurance numbers and other private information was leaked.
The Quebec-based financial institution said a single employee, who has been fired since the breach was detected in December 2018, was responsible. A police investigation into the incident is ongoing.
John McKay, the Liberal chair of the committee, said prior to the meeting several witnesses were set to appear, including cybersecurity experts from the RCMP, as well as other government officials and Desjardins employees.
Conservative Leader Andrew Scheer has called for the committee to examine whether issuing new social-insurance numbers to Desjardins members could protect them from identity theft and further privacy violations.
Speaking prior to the meeting, Conservative members described the possibility of re-issuing social-insurance numbers as just one of several that they might hear about.
“At the end of this, we’re hoping to get some clarity from witnesses on the way forward,” said Alberta Conservative MP Glen Motz. “I think it’s important to recognize that many options are available to government” to determine how to mitigate the effects of the breach both to Desjardins’ clients today and Canadians in the future, he said. Asked about Desjardins’ role in the situation, Motz said the financial institution, though it bore some responsibility, “is also a victim in this.”
“We’re here to listen to them, to understand their perspective, and to develop a way forward that is going to be advantageous to all Canadians,” he said.
The NDP member on the committee, Quebec MP Matthew Dube, also said prior to the meeting that it was not necessarily about confronting Desjardins but more about finding a productive way forward.
He added there is clearly an appetite among Quebecers to examine the possibility of changing social-insurance numbers.
Dube did not support the proposal, though, voicing skepticism that the federal government would be able to smoothly execute such a big move.
In addition to the committee’s study, privacy commissioners in Ottawa and Quebec will be working in tandem to investigate the issue and determine whether Desjardins had adequate data-protection policies in place.
Speaking to reporters separately Monday, Desjardins’ chief executive Guy Cormier said 13 per cent of the co-operative’s members – more than 360,000 people – had signed up for credit monitoring through Equifax, one measure Desjardins is offering to protect victims of the breach.
The measures announced Monday were:
– accounts and assets at Desjardins are protected in the event of unauthorized transactions – a service that was already offered.
– in the event of identity theft, a personalized support with access to experts and lawyers – a service that was reserved for certain members but is being extended to everyone, with additional measures like psychological support.
– a reimbursement of up to $50,000 for certain expenses related to identity theft, which could include things like notary fees, lost wages or accounting fees.
He said he is prepared to go to Ottawa to show that Desjardins isn’t hiding and that his management team is in control of the situation.
Cormier noted that with an ongoing police investigation, there were limits to what could testify to, but signalled he would ask MPs to consider security of digital identity of consumers as more and more transactions are conducted online.