Authorities Charge 3 Suspects and Issue Arrest Warrant for 4th in Case Involving Personal Data of 4.2 Million Canadians Stolen in the Desjardins Data Breach.
The Laval police criminal investigations unit has announced new arrests in connection to one of the largest data breaches in Canadian history involving credit union Desjardins Group.
On Wednesday, assistant director Jean-François Rousselle said Imad Jbara, 33, and Ayoub Kourdal, 36, were charged with fraud, trafficking in identity information and identity theft relating to the massive 2019 data breach at Desjardins that impacted over 4 million members.
A third suspect appeared in court but their identity has not been released. Additionally, an arrest warrant was issued for a fourth suspect.
Desjardins Data Breach: What Happened?
The Desjardins data breach is believed to be one of the largest ever among Canadian financial institutions, compromising personal information including names, addresses, birthdates, social insurance numbers, email addresses and transaction details for roughly 4.2 million individuals and 173,000 businesses.
The leaked information was first discovered in December 2018 after a suspicious transaction in Laval tipped off Desjardins to potential fraudulent activity.
Rousselle says one of the suspects arrested was found to have a list containing the personal records of 1.6 million Quebec residents stolen in the breach. Using this stolen identity information, the scammers were able to fraudulently access AccèsD – Desjardins’ online banking portal – by obtaining temporary passwords, and directly make fraudulent transfers from victims’ accounts totaling $8.9 million that was never recovered, with business accounts mainly targeted.
In a statement, Desjardins praised the work of the Laval police in investigating the case and continues to cooperate fully. The credit union had offered all affected members free credit monitoring and identity theft insurance for 5 years following the breach, though this coverage is set to expire. Subsequent investigations by privacy regulators found Desjardins negligent in safeguarding customer information, with a Quebec Superior Court approving a $200 million class action settlement in 2022 over the data theft.
Rousselle warned that despite ongoing arrests, fraud attempts continue to rise annually as criminals evolve their methods. He advises the public to never share personal or financial details without verifying an individual’s identity and to be wary of unsolicited requests for sensitive information.
Those impacted by the Desjardins breach should remain vigilant against potential identity theft even after credit protection expires. This high-profile case demonstrates the ongoing need to bolster cybersecurity practices among organizations handling Canadians’ private data.