Privacy regulators are launching an investigation into the data breach incident that impacted almost three million members of financial services company Desjardins Group.
The federal Office of the Privacy Commissioner of Canada and its counterpart in Quebec said that the probes will determine whether Desjardins was compliant with federal and provincial laws on personal information protection.
Although Desjardins operates primarily in Quebec – where it is subject to provincial law – it falls under federal privacy rules for its activities in other parts of the country.
Last month, Desjardins revealed that an employee with “ill-intention” had leaked sensitive data of some 2.7 million individual members and 173,000 business members. The leaked data included names, addresses, birth dates, social insurance numbers, email addresses, and even information on transaction habits.
While the company offered assurances that no passwords, security questions, or even personal identification numbers were compromised by the leak, two class-action lawsuits were lodged against the company claiming that the organization either violated its members’ privacy rights or showed negligence in protecting the information.
Some customers have even started an online petition to ask Desjardins to issue them new social insurance numbers in the wake of the leak.
Global News reported that the security breach is one of the biggest in Canada in recent years due to an internal leak, instead of via cyberattacks. A spokesperson declined to comment on possible penalties that could be imposed on Desjardins following the probe.