Emergency meeting in Ottawa on massive Desjardins data breach
Published Monday, July 15, 2019 11:53AM EDT
Last Updated Monday, July 15, 2019 6:03PM EDT
OTTAWA – MPs on the House of Commons Public Safety and National Security Committee convened in Ottawa on Monday for an emergency summer meeting on the breach of millions of Canadians’ personal information at Quebec-based credit union Desjardins.
In June, the major financial institution revealed that a since-fired employee had improperly accessed and shared the personal information of 2.7 million Canadians and 173,000 businesses. The leaked information included the names, addresses, birth dates, social insurance numbers, email addresses, and transaction habits of Desjardins clients.
On the joint request of opposition members, the Commons committee met on Parliament Hill Monday afternoon and quickly agreed to begin hours of hearings to discuss the breach and possible remedies, including issuing new Social Insurance Numbers (SIN) for all impacted clients. Public hearings with witnesses will continue into the early evening.
Over the course of the meeting, MPs heard from officials from several relevant federal agencies and departments, including the Canada Revenue Agency, as well as from representatives for Desjardins.
Desjardins CEO Guy Cormier told the committee that he felt it was too premature for a post-mortem on what happened in this case as investigations are ongoing, but that he hopes lessons for all Canadian organizations can be learned from this situation.
Speaking in French, Cormier told the committee that the employee alleged to be behind this massive leak of private information broke all of the rules, and as soon as his actions were brought to their attention, Desjardins took action as soon as possible. Cormier said that the credit union has done everything it can, including taking more steps to monitor its information and contacting the Canadians who have had their data stolen.
He suggested that the committee recommend the government create an advisory group to consider a new framework on digital data and identity, with the mandate to collaborate with members of the financial, telecommunications, and legal sectors to work on new ways to protect Canadians’ information.
"Status quo is not an option," Cormier told reporters following the meeting. He said in today’s world data is so integrated to the economy that "we have to be really, really carful about the people, the companies, and how we manage this data."
Mark Flynn, the RCMP’s director of cybercrime, offered general comments about how these types of cases are brought to light and probed, given the Desjardins investigation is not within the Mounties’ jurisdiction. Flynn also offered tips on how Canadians should respond when they believe they are victims of this or similar privacy breaches.
“People have to have a strong sense of skepticism and take action to protect themselves,” he said.
Liberal MP Francis Drouin, who was one of the clients who had his personal information leaked as part of this incident, is in Ottawa today to take part in the meeting.
In an interview on CTV News Channel, Drouin said that while he is supportive of the breach being studied by the committee, he doesn’t want it to “compromise” the police investigation underway.
“It will require patience from me and from the 2.7 million customers out there, but I think it’s important that they gather evidence and that we charge this person and they be criminally charged,” he said.
Andre Boucher, a witness representing Canada's electronic spy agency, the Communications Security Establishment (CSE) said this breach is an example of what the agency calls an “insider threat.”
“For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly what this incident underscores is the human element of cyber security,” Boucher said.
“Quebecers, and all Canadians, affected by the theft of their personal data and information are anxious and need solutions. We must act quickly to help them and ensure this unacceptable situation never occurs again,” Conservative public safety critic and committee member Pierre Paul-Hus said in a statement last week calling for the special study.
NDP public safety critic Matt Dube told reporters that he’s glad the study is happening, to show Canadians that MPs are taking the matter seriously.
“Is there anything we can do through the law and through regulation to ensure the maximum protection?” Dube said, speaking to the impact the committee’s study could have.
Since the breach became public, both the Privacy Commissioner of Canada and his Quebec counterpart have launched a collaborative investigation into whether Desjardins acted in compliance with the relevant privacy protection laws.
Desjardins is now offering its clients free identity theft insurance and other financial and legal assistance for those who may have their identities stolen as a result of this breach. On Monday Desjardins announced that it will offer permanent data protection to all its members. Affected clients have launched class-action lawsuits.