MONTREAL -- The Desjardins Group says the employee who stole the personal data of 4.2 million members of the financial co-operative also gained access to information for 1.8 million credit card holders.
In a conference call on Tuesday, however, the financial co-operative's chief executive officer insisted that personal information of the card holders was not passed on to third parties.
"I want to be clear: nothing tells us that this data has been stolen," said Guy Cormier. "It is only preventive that Desjardins wants to warn people."
He was accompanied by Real Bellemare, the new executive vice-president and chief operating officer who is temporarily in charge of information technology.
Bellemare said "no credit card was compromised," nor were Interac and debit card details. In addition, information such as passwords, security issues and personal identification numbers would not have been transmitted externally.
The update comes a week after the departure of two senior Desjardins executives -- former chief operating officer Denis Berthiaume and Chadi Habib, senior vice-president of information technology.
It says all of its credit card, insurance and wealth management customers will receive the same protections already offered to Desjardins members.
In total, about eight million people will have access to the suite of initiatives, such as access to Equifax's credit monitoring service.
Desjardins will therefore add between $10 million and $15 million to the $70 million provision from earlier this year to cover the costs related to the leakage of personal data.
"Whether it's $5 million, $10 million or $15 million more, between you and me, it's not significant and Desjardins is able to absorb these sums," said Bellemare, noting that the co-operative earned about $2.3 billion in profits last year.
Desjardins initially reported in June that 2.9 million customers had been affected by the theft -- 2.7 million individuals and 173,000 businesses in Ontario and Quebec. But earlier this month, the bank revealed the breach was more widespread than first thought and actually hit 4.2 million members -- all of its clients.
The breach involved personal information, including social insurance numbers, but did not include banking information or passwords.
Desjardins has said a single employee -- since fired -- was allegedly responsible for the breach detected in December 2018.
In September, Quebec provincial police questioned 17 people of interest and conducted multiple property searches as part of an investigation into the incident, dubbed "Portier."
The force said it met 91 witnesses in the Quebec City, Montreal and Laval areas, but didn't make a formal arrest.
Desjardins is also being investigated by Quebec's access to information commission and the Office of the Privacy Commissioner of Canada.
Two class-action lawsuits have been initiated in Quebec Superior Court as a result of the breach.
The security breach is among the biggest in Canada to come about internally, rather than via external cyberattacks, in recent years.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline's mobile app.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
This report by The Canadian Press was first published Dec. 10, 2019.