Police arrest 3 in connection with massive Desjardins data breach

Laval police criminal investigations assistant director Jean-François Rousselle announced Wednesday new arrests in the 2019 data breach that affected millions of customers. (Ivanoh Demers/Radio-Canada - image credit)

Laval police say they arrested three suspects Wednesday in connection to a massive data breach at Desjardins Group made public in 2019.

Imad Jbara, 33, and Ayoub Kourdal, 36, were charged with fraud, trafficking in identity information and identity theft. The third suspect has yet to appear in court.

An arrest warrant was also issued for a fourth suspect.

The data breach at the Quebec-based credit union is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 4.2 million people and 173,000 businesses.

A suspicious transaction in Laval in December 2018 tipped off Desjardins.

Laval, Que., police criminal investigations assistant director Jean-François Rousselle said one of the suspects had a list of 1.6 million Quebecers' personal information.

The leaked information includes names, addresses, birth dates, social insurance numbers (SINs), email addresses and information about transaction habits.

Using the personal information gathered, the scammers would get a temporary password to log into AccèsD, Desjardins' login portal, to then make fraudulent transactions directly from the victims' account, said Rousselle.

Business accounts were mainly targeted this way, and $8.9 million fraudulently transferred from Desjardins clients and was never recovered.

In a statement to Radio-Canada, Desjardins praised the work of police and said it would continue to co-operate.

Desjardins found negligent

In 2022, the Superior Court of Quebec approved a more than $200-million settlement of a class-action lawsuit related to the breach.

Reports by the Office of the Privacy Commissioner of Canada and the Commission d'accès à l'information du Québec, the province's access-to-information commission, said Desjardins failed to live up to its obligations and was negligent in safeguarding its members' personal and financial information.

The financial institution paid for a credit-monitoring plan through Equifax and offered identity theft insurance for affected members for five years, which is expiring soon.

The Desjardins employee behind the leak worked in the marketing team at its head office and had access to personal information his database access rights did not allow him to obtain, said the Commission d'accès à l'information.

This confidential information was stored in directories shared by all marketing team employees.

Police reports related to fraud increased by 20 per cent in 2023 in Laval, similarly to the rest of Quebec, according to Rousselle.

"Scammers are ingenious and are always innovating their strategies to get more money out of their victims," he said.

"No one is safe from fraud.… Never share your personal information, bank information or give money to someone without confirming their identity."