PIPEDA Report of Findings #2020-005: Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019 - Office of the Privacy Commissioner of Canada

Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019
PIPEDA Report of Findings #2020-005

December 14, 2020

Overview
On May 27, 2019, the Fédération des caisses Desjardins du Québec (“Desjardins”) notified the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) of a breach of security safeguards that ultimately affected close to 9.7 million individuals in Canada and abroad. The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. The number of individuals affected includes individuals whose personal information a malicious employee was able to access and/or exfiltrate.
Desjardins also informed Quebec’s Commission de l’accès à l’information (the “CAI”) and other regulators of the fact that there were individuals within their jurisdictions that were affected by the incident.
The OPC and the CAI launched investigations into this matter. To coordinate their efforts, the two Offices signed a collaboration arrangement on July 25, 2019.
Desjardins concluded that the breach had been committed by one of its employees, who had been exfiltrating personal information over a period of at least 26 months. This raises the question as to whether Desjardins’ security safeguards were appropriate and whether it met accountability requirements with respect to the personal information entrusted to it. Given the age of some of the information compromised in the incident, the OPC also reviewed Desjardins’ data destruction practices.
Our investigation concluded that Desjardins contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”)’s principles with regard to accountability, retention periods, and security safeguards. This report contains recommendations to Desjardins to address the contraventions found.
Background and scope
Twelve individuals whose personal information was compromised in the incident filed complaints against Desjardins with our Office. The complainants alleged that Desjardins had not sufficiently protected their personal information against illicit accesses, nor applied appropriate retention periods.
The compromised personal information (first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories) had been collected by Desjardins from its clients and members who purchased or received products offered directly or indirectly by the organization. The affected personal information varied depending on the product or service received and whether it related to a current or former client/member. These personal identifiers combined, present a real risk of unauthorized use by malicious actors for identity theft. This risk is enduring because these identifiers are often used for identity validation and are relatively permanent.
A Desjardins member is an individual or company holding a share in a Desjardins credit union affiliated with the Fédération des caisses Desjardins du Québec or the Fédération des caisses populaires de l'Ontario. A Desjardins client is an individual or company doing business with an entity affiliated with Desjardins without necessarily being a member.
The compromised personal information was originally stored in two Desjardins data warehouses, the credit data warehouse and the banking data warehouse. Access to the latter was segmented according to whether the information was confidential (which included personal information) or non-confidential. The credit data warehouse was not segmented, and employees with the necessary authorizations could access all of the data, including personal information.
Our investigation revealed that in the course of fulfilling their duties, certain employees from Desjardins’ marketing department copied the compromised personal information from both data warehouses to the marketing department’s shared directory accessible to all employees of the department. These employees had the necessary authorizations to access the data warehouses, including confidential information (and personal information). The employee identified by Desjardins as the source of the breach, referred to in this report as the ‘malicious employee’, did not have access rights to personal information held in the banking data warehouse. However, he did have access to other non confidential information contained in this warehouse.
More precisely with respect to the above, each month one or more employees performed an automated transfer of personal information from the credit data warehouse to their user folder(s) in the marketing department’s shared drive. Other employees in the marketing department copied confidential personal information from the banking data warehouse to a shared drive. Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely.
Between March 2017 and May 2019, the malicious employee copied this personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer and then onto USB keys. This was in contravention of the confidentiality agreement he signed in the course of his employment.
According to various media reports, the malicious employee is suspected of having sold some of the personal information to a private lender. Some of the information was reportedly then forwarded to a second private lender, who was also a mortgage broker, and his partner, an investment and insurance advisorFootnote1. This partner allegedly admitted to investigators from the Autorité des marchés financiers that he paid $40,000 to buy lists of Desjardins members’ personal informationFootnote2. As of the completion of this report, the police authorities were still conducting their investigation into the Desjardins Breach.
In light of these background facts, this report considers the following issues.
Issues
Issue 1. Given the failure of security safeguards in this breach, was personal information held by Desjardins protected throughout its life cycle by security safeguards appropriate to the sensitivity of the information as required by PIPEDA Safeguards Principle 4.7? Also, did Desjardins fulfill its responsibilities to implement procedures to protect the personal information and train its staff, as set out in Accountability Principle 4.1?
Issue 2. Given the age of some of the personal information in question, was the personal information of individuals handled in accordance with the retention and destruction requirements as set out in PIPEDA Principle 4.5, limiting use, disclosure and retention?
Issue 3. Given that the compromised information presents an ongoing risk of harm for those affected, were the mitigation measures offered by Desjardins to affected individuals adequate to protect their personal information from unauthorized use, such as future identity theft, in accordance with PIPEDA Safeguards Principle 4.7?
Jurisdiction
Desjardins operates mainly in Quebec, but also conducts activities in other Canadian provinces and abroad. Desjardins is subject to both An Act Respecting the Protection of Personal Information in the Private Sector in Quebec and the federal law, PIPEDA. PIPEDA applies in respect of Desjardins’ activities in provinces without legislation considered to be substantially similar to PIPEDA. PIPEDA also applies where there is an interprovincial or international flow of personal information in the course of Desjardins’ commercial activities. Some of the personal information compromised by the breach was collected by Desjardins in the course of its activities outside Quebec but was stored in that province.
Cooperation agreement between the OPC and the CAI
The OPC and the CAI launched investigations into this matter. To coordinate efforts, the two Offices signed a collaboration arrangement on July 25, 2019. Throughout the investigation, the OPC and the CAI exchanged relevant information, worked together to identify required information and documentation, and jointly prepared for and conducted various interviews and a site visit at Desjardins’ office.
Methodology
In reaching our conclusions in this investigation, we consulted various open sources and reviewed the information provided by Desjardins through different means, including the following:
written submissions, including those received in response to specific questions from the OPC;
telephone and in-person interviews with key individuals, including a site visit at Desjardins’ office in Montréal on July 16 and 17, 2020;
demonstrations of technological security safeguards during our site visit at Desjardins’ office;Footnote3
a sample of the compromised data types;
copies of documents relevant to the file:
the organization’s relevant policies and directives
security standards and risk analysis reports
training materials
Desjardins’ organization chart and network diagrams
the organization’s code of ethics
corrective measures that it has implemented or intends to implement.
We analyzed the technological and organizational security safeguards deployed by Desjardins at the time of the incident. The analysis also covered the methods used by Desjardins to implement its new security program and the anticipated timelines for deployment.
We also compared the safeguards implemented by Desjardins with those observed in previous OPC investigations and with the relevant standards and best practices, especially with respect to combatting insider threats.
Upon completion of our investigation, we issued a preliminary report of investigation to Desjardins, which set out and explained the rationale for our preliminary conclusions and identified several recommendations. We then met with Desjardins to address any questions or comments they had, and to discuss our recommendations.
The OPC cooperated and coordinated with the CAI throughout this investigation.
Desjardins cooperated with our Office throughout the investigation and has confirmed its agreement to implement the recommendations of this report.
Issue 1. Desjardins’ security safeguards and its responsibility to implement procedures to protect personal information and train employees
Under PIPEDA Principle 4.7, personal information must be protected by security safeguards appropriate to the sensitivity of the information. In our view, this is applicable throughout the entire life cycle of the information. The security safeguards must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification (4.7.1). The methods of protection should include (4.7.3):
physical measures, for example, locked filing cabinets and restricted access to offices;
organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
technological measures, for example, the use of passwords and encryption.
Under PIPEDA Principle 4.1, an organization is responsible for personal information under its control. As stated by Principle 4.1.4, organizations must implement policies and practices to give effect to PIPEDA principles, including implementing procedures to protect personal information [4.1.4(a)], and training staff and communicating to staff information about the organization’s policies and practices [4.1.4(c)].
Description of the overall architecture
The compromised information was held in two data warehouses: the banking data warehouse and the credit data warehouse.
To access the information from these two data warehouses, marketing department employees had to use a search and analysis tool accessible through a virtual environment.
Desjardins restricted access to the personal information stored in the two data warehouses through specific access rights, including within the marketing team. However, the technological protection measures in place did not prevent the downloading of files containing personal information from the two data warehouses to shared drives accessible to marketing department employees.
Marketing department employees all had access to a shared directory which was separated into various subfolders organized by user or other criteria. There were also folders where access rights were limited to certain employees and designated for the storage download of confidential information.
Marketing department employees were also authorized to use file transfer software to copy documents from the shared directory to their work computers.
Figure 1 : How the breach occurred
Figure 1 : How the breach occurred
Text version of Figure 1
How the breach occurred
Our investigation revealed that the compromised information was copied by certain Desjardins marketing department employees from the two data warehouses to the marketing department’s shared drive. As mentioned above, these employees had the necessary authorizations to access the confidential information.
Each month from January 2016 to June 2018, one or more employees from the marketing department used a manual script to transfer data, including personal information, from the credit data warehouse to their user folder in the shared directory. Desjardins characterized this operation, of which several employees were aware, as being non-compliant with best practices.
On September 18, 2017, and November 13, 2018, certain employees of the marketing department copied confidential information, including personal information, from the banking data warehouse to the shared directory. This information was copied into subfolders that were accessible to all the employees in the marketing department. Desjardins also found that these practices were not compliant with its rules. These employees should have copied the protected information into the confidential folder of the marketing department’s shared directory.
The malicious employee did not have the necessary authorizations to access the confidential information in the banking data warehouse. By using personal scripts, the malicious employee was able to compile the data saved by his colleagues in the shared directory. The malicious employee then saved this information in his user folder and in another folder of the marketing department’s shared directory.
He then used file sharing software to transfer the compiled information to his work computer and then onto USB keys.
Analysis
The affected personal information varies depending on the product or service received by the Desjardins member or client. For some, it includes first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. Such data elements can be considered sensitive on their own. When combined, they can also be exploited by malicious individuals to steal the identities of the persons concerned. Therefore, in accordance with PIPEDA, the security safeguards implemented by Desjardins to protect this personal information should be commensurately high.
Prior to 2019, Desjardins invested a significant portion of its overall information security budget to fight against external threats. However, the breach that is the subject of our investigation is internal in nature. These breaches are those that occur as a result of actions taken by people who work within an organization and may compromise the confidentiality, integrity and availability of information held by the entity. They can be intentional or not, and are more difficult to prevent than attacks caused by external threats, in particular because they are the work of technically competent employees who know the company’s systems and security weaknesses, where information is located, and how to circumvent the protective processes in place.
There are generally three types of insider threats. The first type is unintentional and non-malicious, such as when an employee downloads a document onto their computer because they are unaware of the existence of policies and procedures prohibiting this act. The second type is intentional but non-malicious, such as when an employee copies personal information to an open shared directory to speed up their work, despite policies and procedures prohibiting this practice. Finally, the third type is intentional and malicious, such as when an employee copies confidential information onto a personal USB key, knowing that this violates existing policies and procedures, doing so for personal gain, revenge or as a form of protest.
The investigation revealed that Desjardins is an organization in which a sense of employee belonging is very present, and where there is a climate of trust. It is commendable to have a trusting relationship with employees, but it must also be accompanied by a culture that adopts verification and control measures. Although the organization had implemented certain measures to deal with an insider threat, we found that it did not have all the necessary measures in place to detect the scheme carried out by a malicious individual who, according to Desjardins, was a skilled and high performing employee, and who was a key resource for many of his colleagues. In our view, the absence of a culture of vigilance against internal threats significantly contributed to the breach.
Several measures can be taken to combat insider threats. For our analysis in this case, we focused on the five elements below. We consider them particularly relevant to the breach that occurred at Desjardins:
Security screening and confidentiality agreements
Organizational policies and procedures
Employee training and awareness
Access controls and data segregation
Oversight and monitoring
Security screening and confidentiality agreements
Security screenings are the first line of defence against insider threats and are considered an organizational protective measure (see Principle 4.7.3 (b) under PIPEDA). It allows the organization to identify job candidates or employees with suspicious backgrounds or conduct that make them unsuitable to be given access to certain resources.
At the time of the breach, Desjardins was conducting security screeningsFootnote4 before hiring employees or when transferring them to a new position. For employees in designated positions, security clearances are renewed every five years.
Desjardins stated that its security division had conducted a security check on the malicious employee prior to his hiring. The screening raised no concerns. After he was hired, the employee signed a code of conduct attestation on an annual basis. He also signed a confidentiality agreement specific to his duties.
The OPC found that Desjardins’ security screenings are acceptable and consistent with currently recognized standards and practices.Footnote5 While security screenings are necessary, they are insufficient on their own to combat insider threats. Additional security safeguards are required, such as policies, training and control measures.
Organizational policies and procedures
According to PIPEDA Safeguards Principle 4.7.3, methods to protect personal information should include physical, organizational and technological measures.
Policies and procedures are pillars of privacy protection and constitute important organizational measures for protecting personal information throughout its life cycle. They define the organization’s strategy, its expectations of its employees, and its various roles and responsibilities for combatting identified threats. Accordingly, having and implementing adequate policies and procedures in itself constitutes a safeguard. These documents form part of the tools that employees need to fully assume responsibility for the protection of personal information.
Under the PIPEDA’s Accountability Principle, an organization is required to implement procedures to protect personal information [4.1.4(a)]. To be effective, security policies and practices must be applied appropriately and consistently. In our view, an organization should be able to verify whether its employees are following them.
Desjardins had a large number of directives, policies and procedures for the protection of personal information:
Règle Mouvement sur la gestion des Identités et des Accès [Desjardins identity and access management rules]
Directive Mouvement de Sécurité des technologies de l’information [Desjardins security of information technology directive]
Directive Mouvement sur l’utilisation acceptable des technologies [Desjardins directive on the acceptable use of technology] (Version 1: August 2013, revised in October 2018)
Directive Mouvement sur la gestion des documents [Desjardins directive on document management]
Standard de Sécurité sur l’utilisation de données confidentielles ou secrètes hors des environnements de production [Security standards on the use of confidential or secret information outside of production environments]
Standard de Sécurité des postes de travail [Security standards for work stations]
Standard de Sécurité sur la Sauvegarde de l’information et sur la Gestion des supports de sauvegarde [Security standards for information backup and backup storage media management]
Standard de Sécurité sur la gestion des accès logiques [Security standards for the management of access rights]
Standard de sécurité sur la surveillance et journalisation [Security standards for monitoring and logging]
Politique Mouvement de Sécurité de l’Information [Desjardins information security policy]
Politique sur la protection des renseignements personnels [Personal information protection policy]
Code d’Utilisations entrepôt de données bancaires [Code governing the use of the banking data warehouse]
Code de Déontologie [Code of ethics]
Certain relevant policies and procedures were incomplete or had not been implemented. Examples include the personal information retention schedule, standards for managing shared directories, and granting high-level privileges, as well as rules governing the use of confidential personal information extracted from the banking data warehouse.
In our view, Desjardins’ most significant failing in this area is with regards to the implementation of its policies and procedures. Despite the existence of many, we identified several examples of Desjardins having failed to take the necessary steps to ensure their complete and integrated implementation. Certain are listed below.
Desjardins’ Standard de sécurité sur la protection des données [Security standards for data protection] specifies that only authorized personnel may access, disclose or modify information. It also specifies that confidential information must be protected throughout its life cycle and that all owners of electronic document repositories containing secret or confidential information must ensure that accesses and permissions are managed to ensure confidentiality. Desjardins did not implement safeguards to prevent or control the transfer of confidential personal information from the data warehouse to folders accessible to unauthorized employees and from there to computers and removable storage devices.
The Standard Mouvement sur l'utilisation des technologies [Desjardins directive on the use of technology] prohibits the storage of personal information on devices that do not belong to the organization. Despite the existence of this directive, Desjardins' systems did not prevent the use of personal removable storage devices. Desjardins had identified this issue before learning of the breach or how the malicious employee extracted the compromised personal information. Even though Desjardins was in the midst of deploying a solution, which would have ultimately eliminated the use of personal storage devices, it failed to prevent the breach.
The Standard de Sécurité sur l'utilisation de données confidentielles ou secrètes hors des environnements de production [Security standards on the use of confidential or secret information outside of production environments] states that transfers of secret data outside of a protected production environment are prohibited unless the data is first removed, masked or replaced by a dataset. It also states that employees must submit a request and have it authorized before transferring any confidential data to a non-production environment. The breach demonstrates that, despite these stipulations, it was possible to transfer confidential personal information out of the protected production environment without masking it or making a transfer request.
At the time of the breach, Desjardins had a wide array of directives, policies and procedures for the protection of personal information. However, in several cases, Desjardins failed to adequately implement certain of the directives, policies and procedures it had developed.
Employee training and awareness
Organizations must make their employees aware of the importance of maintaining the confidentiality of personal information (PIPEDA Principle 4.7.4). They must also train staff and communicate to staff information about the organization’s policies and practices (Principle 4.1.4(c)).
The human factor is the weakest link when it comes to information protection in a technological environment, which is why raising employee awareness is so crucial. It is also key to the implementation and success of information security policies; hence, the importance of training to ensure employees fully understand their roles and responsibilities and how to fulfill them.
For the policies and procedures to be implemented effectively, employees must not only be made aware of them but also be able to understand them.
Desjardins provides each new employee with about 23 hours of onboarding training, including a 3.75-hour component covering the protection and security of personal information.
Desjardins states that it has an ongoing training and awareness program for its employees covering information security and protection of personal information. All employees go through this training. Desjardins also conducts awareness campaigns throughout the year to reiterate key messages and best practices in the protection and security of personal information. It did not, however, provide any indicators demonstrating that its employees understood the content.
Also, while many of the malicious employee’s actions were clearly contrary to several of Desjardins’ policies and procedures, it should be noted that employees with legitimate access rights downloaded files to shared sub-folders in the shared drive that was accessible to all marketing employees. These actions constituted non-compliant processing according to Desjardins’ policies and procedures, and did not follow best practices. This raises the question of whether the training provided made them sufficiently aware of the importance of maintaining the confidentiality of personal information, and of the serious consequences of making personal information accessible to unauthorized third parties.
In view of the sensitivity of the personal information held by Desjardins and the complexity of the issues related to protecting personal information within such an organization, we found that there were critical gaps in employee training and awareness at the time of the breach.
Access controls and data segregation
According to PIPEDA Safeguards Principles 4.7.3 (b) and (c), methods of protection should include organizational and technological measures to protect personal information.
Desjardins’ Standard de sécurité sur la protection des données [Security standards for data protection] specifies that only authorized personnel can access, disclose or modify information. It also specifies that confidential information must be protected throughout its life cycle and that all owners of electronic document repositories containing secret or confidential information must ensure that access and permissions are managed to ensure confidentiality.
Also, the Règle Mouvement sur la classification de sécurité de l'information [Desjardins information security classification rules], which came into effect on April 22, 2015, and revised on August 28, 2018, states that information must be protected according to its classification so that it remains secure for its entire life cycle, namely, in the course of collection, use, disclosure, retention and destruction.
Access to the confidential information in the banking data warehouse was limited to employees with the appropriate authority. Desjardins therefore had policies in place to control and manage access rights and had taken certain steps to implement them.
However, Desjardins’ information system allowed authorized users to move restricted data to unprotected directories and storage media without any controls (see paragraphs 10 and 11). Desjardins could have reduced the exposure of the information by substituting it with non-confidential (masked) information, by using, for example, the tokenization technique recommended by its data protection security standards.
The personal information of some clients who were not Desjardins members was affected by the breach. In its representations, Desjardins stated that this information ended up in the banking data warehouse in error, without providing any further explanations. We understand from this that Desjardins failed to comply with its own standards governing the segregation of data.
The gaps set out in paragraphs 53 and 54 demonstrate that Desjardins did not effectively manage access rights and data segregation, which are important security measures, thereby in contravention of PIPEDA Principle 4.7.
Oversight and monitoring
According to PIPEDA Safeguard Principle 4.7.3, security methods for protecting personal information should include physical, organizational and technological measures.
Oversight and monitoring are indispensable to any personal information protection system. They can detect suspicious uses of resources and employees’ potential non-compliance with the organization’s directives and policies.
In its information technology security standards, Desjardins states that threat detection begins with logging security events, such as system access attempts.Footnote6 These standards also state that an alert system based on event monitoring and correlation must be implemented.Footnote7
Desjardins’ data protection security standardsFootnote8 state that, depending on the level of risk, monitoring is required to identify confidential information stored in unauthorized repositories. This can be accomplished, for example, by using a data loss prevention (DLP) solution.
A DLP can detect and prevent the potential exfiltration of sensitive data, whether it is in use, in transit or at rest. It is used to combat not only external threats, but also insider threats by preventing employees from transferring sensitive data, intentionally or otherwise. An external firm’s evaluation report on Desjardins’ information security, published in May 2018, stated that Desjardins had partially deployed a DLP solution. In fact, during the breach, Desjardins commenced its deployment. For example, the DLP solution for email monitoring was implemented in 2018, while web filtering capabilities of the DLP were not activated until 2019.
In addition to the DLP, several technological approaches may be used to ensure active monitoring of electronic information systems. This proactive approach generates alerts if anomalies are identified in the analysis of the event logs. Desjardins was limiting itself to passive measures such as analyzing event logs only after incidents were reported. In our view, Desjardins could have prevented or minimized the data breach had it optimized the use of these tools. That said, at the time of the breach, Desjardins was in the process of deploying active surveillance measures.
The primary function of the Security Information and Event Management (SIEM) system, one of the technological tools for active surveillance, is to correlate and aggregate information from logs from several sources (databases, servers, etc.). The information collected is analyzed in real time. If any departure from the norm is identified, the SIEM generates alerts and initiates actions to combat the potential threat. Before the breach, Desjardins had a SIEM in place; however, it was replaced in June 2019, after the breach was detected, by a superior product.
User and entity behaviour analytics (UEBA) is a solution that models user and device behaviours on organizational networks. This enables an organization to identify abnormal behaviour and alert security teams. For example, if a large file is attempted to be downloaded by a user who does not typically do so, the UEBA will generate an alert. At the time of the incident, Desjardins did not have a UEBA solution in place.
Before the breach was detected, Desjardins presented the findings of a data loss risk analysis in an internal report prepared for the deployment of a DLP strategy. This analysis led to the conclusion that there was a high risk of data loss via physical vectors such as USB keys. To reduce this risk, this study had recommended measures such as the monitoring of suspicious behaviour and the detection of data exfiltration activities. As explained above, such measures can be implemented using the approaches described in paragraphs 75, 77 and 78 (DLP, SIEM and UEBA).
An organization like Desjardins, which handles a large volume of transactions involving sensitive personal information, must have an active monitoring system. This requires technological measures based on approaches, such as those listed above.
In addition, the external firm’s report evaluating Desjardins’ information security, published in May 2018, states that Desjardins had partially deployed a DLP solution. Desjardins did not implement all of the recommendations from its own report nor from the external firm’s. Taking advantage of the presence of data copied by his colleagues onto the shared directory and of the absence of mechanisms preventing or controlling the use of USB keys, the malicious employee was able to use removable storage media, precisely one of the scenarios envisioned in Desjardins’ report.
Desjardins did not detect the data theft on its own. It was the Laval police department that notified Desjardins after it discovered evidence of the breach in the course of a separate investigation involving the financial institution.
Conclusion
For the reasons described above, we are of the view that Desjardins’ protection measures were inadequate in the following four areas:
Organizational policies and procedures
Employee training and awareness
Access controls and data segregation
Oversight and monitoring
In our view, the specific weaknesses described above, individually and collectively, constitute failures to implement appropriate security safeguards given the volume and sensitivity of the personal information held by Desjardins. Accordingly, Desjardins is in contravention of PIPEDA Safeguards Principle 4.7.
Furthermore, weaknesses related to implementing procedures and training staff represent contraventions relating to the Accountability Principle, in particular PIPEDA Principle 4.1.4.
Our recommendations for appropriate measures to remedy this contravention are presented at the end of this report.
Issue 2. Retention of personal information held by Desjardins
According to PIPEDA Principle 4.5 (Limiting Use, Disclosure and Retention), an organization must not retain personal information longer than necessary to fulfill the purposes for which it was collected. According to Principle 4.5.3, personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous by the organization. Organizations must also develop guidelines and implement procedures to govern the destruction of personal information.
As described at paragraph 9 of this report, between January 2016, and November 2018, certain employees downloaded personal information from two data warehouses to the marketing department’s shared drives. This represented the personal information exfiltrated by the malicious employee.
Included in the information inappropriately accessed by the malicious employee were 3.9 million inactive files, some of which had been inactive for decades. Given the age of the files, we looked closely at Desjardins’ personal information retention practices.
At the time of the breach, Desjardins had a directive (Directive Mouvement sur la Gestion des documents [Desjardins directive on document management]) and a policy (Politique sur la protection des renseignements personnels [Personal information protection policy]) setting out the guiding principles governing the retention of personal information.
For example according to its Directive and Policy, personal information must only be retained for as long as necessary to fulfill the purposes for which it was collected, and documents must be retained for an appropriate period, in line with their business, tax, legal and historic value.
In 2018, in the midst of the breach, Desjardins was working on its document retention schedule, which has yet to be finalized.
Moreover, Desjardins did not have any procedures in place to destroy personal information at the end of its lifecycle.
In submissions we received seven months after the incident, Desjardins was still incapable of determining the retention period for the compromised inactive accounts.
Retaining personal information longer than necessary risks causing harm to the individuals concerned. It can increase the risk of a potential breach of personal information, such as the one that occurred at Desjardins.
In light of the above, we are of the view that Desjardins did not handle personal information in accordance with the retention and destruction requirements set out in PIPEDA Principle 4.5.
Our recommendations for appropriate measures to remedy this contravention are presented at the end of this report.
Issue 3. The mitigation measures offered by Desjardins to the affected individuals
According to PIPEDA Safeguards Principle 4.7.1 security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
In an investigation report of findings published in 2019 regarding a breach affecting Equifax in 2017, we expressed our view that Principle 4.7.1 requires that organizations take appropriate mitigation measures following a breach to prevent the future unauthorized use of the compromised personal information.Footnote9
In 2018, new PIPEDA provisions regarding organizations’ obligations following a breach came into force.Footnote10 These provisions recognize the importance of mitigation measures following a breach of security safeguards.
In the breach that is the subject of this investigation, names, telephone numbers, email addresses, residential addresses and social insurance numbers were among the compromised information for the majority of clients and members affected. As discussed earlier, these personal identifiers, combined, present a real risk of unauthorized use by malicious actors for identify theft. This risk is enduring because these identifiers are often used for the purpose of identity validation, and are relatively permanent.
In this context, we considered whether the protection measures offered by Desjardins to those affected provide adequate long-term protection against such unauthorized use of the compromised personal information.
Among the measures taken, Desjardins created a website and set up a call centre for its clients to better understand the incident and the associated protection measures.
Desjardins directly and indirectly notified affected individuals, providing them with a detailed description of the compromised personal information and the protective measures offered by the organization (including the credit monitoring service provided by Equifax and the Desjardins Protection). The company also offered all of its members using AccèsD unlimited access to their credit records through TransUnion.
As a further mitigation measure, the financial institution is providing all of its existing and future members and clients with the Desjardins Protection Plan (Protection/Assistance). The plan has four components. Former clients and members are only eligible for the fourth component:
Asset Protection: Ongoing protection allowing for a full reimbursement of any losses caused by unauthorized transactions in Desjardins client and member accounts.
Reimbursement: Ongoing protection allowing for the reimbursement of any expenses incurred in the identity recovery process. All members can be reimbursed up to $50,000 per event. Additional reimbursements are possible, such as for lost salary or childcare costs connected with any absences required to carry out the necessary steps of the identity recovery process.
Support:Footnote11 Direct rehabilitation assistance in the case of identity theft, including individual support throughout the identity recovery process. The use of these services is unlimited and permanent. The services of experts such as lawyers and psychologists are also available to affected members.
Equifax Credit Monitoring (Prevention/Monitoring) for five years: Daily credit monitoring with alerts of activity or changes to the credit score. The protection also includes permanent insurance of up to $50,000 for identity theft.
By offering these mitigation measures to protect those affected against the unauthorized use of their personal information, Desjardins has satisfied its obligations under Principle 4.7. It should be noted that overall, the measures taken by Desjardins significantly surpass those taken by other organizations following a major data breach.
Given the measures proposed by Desjardins, we have no recommendations to make on this point.
Steps taken by Desjardins following the breach
After the breach, Desjardins took a number of steps to improve the organization’s security. This section presents the principal measures implemented.
Creation of the Desjardins Security Office
This office is responsible for coordinating organizational initiatives and instituting integrated, cross-sector security strategies. It is also charged with the protection of the assets and personal information of Desjardins’ members and clients. Finally, it is responsible for establishing a process through which security related issues are reported.
Programme d’amélioration de la sécurité de l’information et de la protection des renseignements personnels [Information Security and Privacy Protection Improvement Program]
The purpose of this program is to remedy the organization’s cultural blind spots that facilitated the breach. It arose from an overarching plan involving several measures and actions aimed at improving access controls and rights, monitoring and detecting threats, improving training and awareness, and increasing privacy protections. For example, Desjardins will eliminate personal information in certain databases when its use is no longer required for the business process. It will also replace personal information with less sensitive data.
Security screening
For all users with high-level access privileges, security screening and credit check procedures have been revised and will now be renewed every three years. This is the case, for example, for those authorized to access the confidential data in the banking data warehouse.
The organization’s policies and procedures
In light of the results of internal audits, Desjardins intends to adjust certain of its policies and directives, including the following:
STD-SEC-06.02 Standard de sécurité sur les postes de travail [Security Standards for Work Stations]
STD-SEC-12.01 Standard de sécurité sur la protection des données [Security Standards for Data Protection]
STD-SEC-12.03 Standard de sécurité sur la sauvegarde [Security Standards for Backup]
STD-SEC-14.01 Standard sur l’utilisation des données confidentielles de production à l’extérieur de l’environnement de production [Standards for the use of Confidential Production Data Outside of the Production Environment]
POS-SEC-2015.04 Sécurité des données de cybermétrie [Security of Cybermetrics Data]
Politique Mouvement sur la protection des renseignements personnels [Policy on the Protection of Personal Information]
Employee training and awareness
Desjardins is currently upgrading its security training and awareness program for all of its employees and managers. Desjardins is also developing specific training for employees handling personal information to remind them of their roles and responsibilities.
Access controls and data segregation
Desjardins reduced the use of shared directories and extended the blockage of removable storage devices to all business lines in the organization. Desjardins also further segmented the two data warehouses.
Desjardins has centralized processes for granting access rights and reduced the number of accounts with high-access privileges. To manage bulk data, it has chosen modern data management business processes to reduce, if not eliminate, human interventions.
Desjardins has created a new, restrictive analysis environment to house applications that give access to mass confidential data. This environment controls, restricts and monitors the use and extraction of the data held in the data warehouses.
In the course of our investigation, we observed that there was an approval threshold below which small file transfers were permitted without requiring approval. Desjardins has since changed its process. Going forward, this approval process no longer considers the size of the files transferred, but rather focuses on the sensitivity of the information they contain. Desjardins also has procedures and tools in place to control and delete personal information when its presence outside of data warehouses is no longer justified.
Oversight and monitoring
Desjardins has accelerated the implementation of a process to evaluate insider threats that pose risks to its operations. It has adopted active surveillance of its employees’ use of technology. For example, Desjardins has installed extensive DLP solutions to monitor all of the main data exfiltration vectors (email, web navigation, copying onto USB keys, etc.). It also relies on a UEBA solution to monitor suspicious user behaviour. Finally, Desjardins has acquired a network directory scanning tool to identify confidential information. Beyond technological measures, Desjardins is applying a holistic approach by amending its processes and augmenting staff training and awareness.
Retention of personal information held by Desjardins
Desjardins is currently developing a more detailed retention schedule. This will determine how long each type of data is to be retained, based on relevant requirements. Along with the implementation of the schedule, personal information that has reached the end of its retention period will be destroyed or anonymized.
Conclusion and recommendations
While it is commendable for organizations to trust their employees, this must be accompanied by oversight and control measures. A culture of accountability is also essential. The most senior levels of management must be involved, since an organization’s leaders must initiate and adopt cultural change.
Furthermore, everyone involved in the handling and protection of personal information must fully perform their roles and responsibilities. This means providing them with the necessary technological resources and training.
While it is important to recognize that Desjardins has implemented several significant progressive changes to remedy the gaps identified following the breach, this report contains recommendations to Desjardins to continue to remedy these weaknesses.
The breach analyzed in this report highlights the dangers presented by insider threats, intentional or otherwise. The OPC maintains that vigilance and a holistic approach are important when deploying measures to address and mitigate the impact of such threats.
As part or our preliminary investigation report, we made the following recommendations to Desjardins with respect to contraventions found under issues 1 and 2 regarding the security safeguards and the retention of personal information:
Provide to the OPC every six months a progress report on actions taken by Desjardins following the breach to safeguard information. This report must clearly indicate, for each module, activity and sub-activity:
the desired objective;
a description of the organizational, contractual and technological measures implemented or to be implemented and how they contribute to the protection of personal information;
the effective or anticipated date for the implementation for each measure;
monitoring and control indicators and tools to assess the effectiveness of the implemented measures;
the review frequency of each measure; and
a description of the residual risks corresponding to the implementation status of each measure and the actions planned to address these risks.
Finalize and submit a retention schedule and destruction process within six months of the release of this report, explaining the rationale behind the minimum and maximum periods identified.
Within six months of finalizing the schedule, delete or anonymize any personal information for which the retention period has expired.
Demonstrate to the OPC within six months that requests for access and transfer of personal information are monitored when they involve volumes below the minimum threshold of the new analysis environment.
Demonstrate to the OPC within six months that Desjardins has implemented measures to protect personal information throughout its life cycle, including additional protection to prevent breaches arising from the presence of personal information on employees’ computers following authorized transfers.
We also recommended that Desjardins retain the services of an accredited and experienced external auditing firm to assess and certify its information security and privacy program and submit a report of this audit to the OPC within two years. At a minimum, the report must:
assess the security safeguards, policies and procedures and determine their effectiveness for preventing a similar breach in the future;
evaluate the governance system and the organization of the protection of personal information;
assess the resources (human, technological, etc.) allocated to privacy protection;
identify and document the platforms used by Desjardins to store personal information (data warehouses, servers, fixed and removable storage devices, etc.) and identify any sensitive personal information stored in each location (financial information, government identification, etc.);
assess the effectiveness of Desjardins’ safeguards in its storage of personal information in light of the degree of sensitivity of the information;
identify, analyze and document any internal and external risks that could potentially affect personal information in conjunction with any platform, system or process that could lead to the loss, theft, unauthorized access, disclosure, copying, malicious use, modification or any other possible compromise of the information; and assess whether the physical, organizational and technological measures are sufficient to protect against the identified risks;
assess Desjardins’ training program and all associated policies and procedures to ensure that the employees (including technical personnel) understand how to handle personal information, identify and respond to potential breaches, and generally ensure that the personnel is aware of the importance of protecting personal information;
audit the practices for the retention, destruction or de-identification of personal information for which the retention period has expired based on Desjardins’ retention schedule;
identify any recommendations or protection measures proposed by the external auditing firm to improve Desjardins’ information security program and ensure that it complies with the Act; and
identify any internal or external residual risk to the protection of personal information and solutions to address it.
In connection with the audit report mentioned at paragraph 125, Desjardins must provide a detailed explanation of its decision to accept or reject the recommendations of the audit report, including a schedule for implementing the recommendations if they are accepted.
Desjardins’ Response
Desjardins accepted all of our recommendations and has already put in place certain of the recommendations presented in our preliminary report of investigation.
Regarding our recommendations at paragraph 124 b) and c) on the retention schedule and the destruction of personal data, Desjardins proposes a plan spanning 18 months. Once its retention schedule is finalized in early 2021, Desjardins intends to implement the destruction of personal information in three stages of approximately 6 months each, starting with the systems holding the most sensitive data. The project is to be completed by June 2022.
Regarding our recommendations at paragraph 124 d) and e) on the monitoring requests for access and transfer of personal information independently of their size, and the protection of personal information throughout its life cycle, Desjardins has already put in place measures addressing these issues.
Conclusion
In view of all the above, we consider the complaints to be well-founded and conditionally resolved.
The OPC will monitor Desjardins’ progress on its implementation of our recommendations.
Footnotes
Footnote 1
TVA Nouvelles, 19 October 2019 (in French only)

Return to footnote1Footnote 2
Radio-Canada, 27 October 2020 (in French only)

Return to footnote2Footnote 3
The purpose of this visit was to discuss and better understand the organization’s culture and practices surrounding information security and privacy; discuss and assess the environment of the marketing department in which the malicious employee worked; receive a demonstration of the security safeguards in place; and obtain the details of the management action plan.

Return to footnote3Footnote 4
Security screening involves a credit check (with a credit bureau); a criminal record check; and the verification of penal and municipal dockets, internal intelligence databases, industry intelligence databases via the Canadian Bankers Association, politically-exposed persons database, links with public entities and public companies, lists of comprehensive sanctions, foreign criminal records, open sources, etc.

Return to footnote4Footnote 5
Desjardins is compliant with ISO 27001 A.7.1.1 Screening and the requirements of the Department of Public Safety Canada

Return to footnote5Footnote 6
See “Standard de sécurité sur la surveillance et la journalisation” [Security standard on monitoring and logging] (Version 4.0 updated 2017-11-03), Logging Requirement STD-SEC-12.02-004 “Platform and application security events must be centralized and automatically logged (e.g. through the use of a Security Information and Event Management System (SIEM)).”

Return to footnote6Footnote 7
See Requirement STD-SEC-12.02-006 – “Platform and application security events must be monitored and correlated automatically (e.g. through the use of a Security Information and Event Management System (SIEM))”.

Return to footnote7Footnote 8
See “Standard de sécurité sur la protection des données” [Data protection security standard] (Version 3.1 17 October 2014, modified on October 18, 2018), Requirement STD-SEC-12.01-305.

Return to footnote8Footnote 9
Investigation of Equifax Inc.’s and Equifax Canada’s compliance with PIPEDA following a breach of personal information security safeguards in 2017, PIPEDA Report of Findings #2019-001, April 2019.

Return to footnote9Footnote 10
See section 1.1 Breach of Security Safeguards, PIPEDA.

Return to footnote10Footnote 11
Other measures are included in this component; we are presenting the main ones here.