Desjardins data leak: Laval police arrest three suspects

More than five years after a massive leak of personal information at Desjardins, Laval police (SPL) announced the arrest of three suspects.

The individuals arrested in the last few hours are said to have participated in fraud totaling $8.9 million between September 2018 and January 2019, the SPL said at a press conference on Wednesday.

Police add they are “actively looking for a fourth individual for whom an arrest warrant has been issued,” said Jean-François Rousselle, assistant director of the Criminal Investigations Branch.

Two of the suspects, aged 33 and 36, are due to appear before a judge on Wednesday.

The third person arrested “is the subject of a promise to appear,” said Rousselle.

The suspects face charges of fraud over $5,000, trafficking in identifying information, possession of identifying information and identity theft.

“For example, the investigation revealed that one of the subjects had in particular in his possession a list of data targeting 1.6 million Quebecers,” explained Rousselle.

“These individuals used the data stolen from Desjardins in order to facilitate the conduct of their operating methods and to disperse funds in Canada, the United States, but also throughout the world. The main method of operation was to obtain, via the Accès D service, a temporary password using the users’ personal information that they had in their possession, to then proceed with transactions made directly from bank accounts via the web platform.”

Rousselle spoke of “a large-scale, complex investigation that required the involvement of the Sûreté du Québec and the Bureau de la grande criminalité et des affaires spéciales of the DPCP.”

The investigation led police to carry out searches in February, April and June 2019 in Laval, Montreal and Saint-Augustin-de-Desmaures.

“The searches allowed the seizure of a significant quantity of data, and 75 judicial authorizations notably made it possible to seize more than 70 computer items requiring countless hours of analysis. This represents thousands of documents and computer files,” explained Rouselle.

“This is one of the most complex investigations we have faced in our history and I would like to congratulate all of our troops and our partners who have worked tirelessly over the past five years on this important investigative project. I would also like to thank the RCMP and the Sûreté du Québec for their collaboration in this matter, as well as Desjardins,” said Rousselle.

In December 2020, two reports about the data leak that affected more than 9.7 million people in Canada and abroad in 2019, including nearly seven million Quebecers, concluded that Desjardins had not complied with several obligations imposed on it by the Loi sur la protection des renseignements personnels dans le secteur privé.

The report from the Commission d’accès à l’information du Québec underlined that the cooperative had “failed in its obligation to limit access to personal information, in particular that which is saved in shared directories.”

The Desjardins employee who caused the leak worked within the marketing team at Desjardins head office.

He had access to personal information that his access rights to the databases did not allow him to obtain, underlined the commission’s report.

Contrary to the directives, this confidential information was located in directories shared by all employees of the marketing team.

–This report by La Presse Canadienne was translated by CityNews