Desjardins insider data breach

In June 2019, Desjardins — the largest financial cooperative in Canada with ~7 million member-customers in Quebec and beyond — publicly disclosed that an employee had been systematically exfiltrating member records for approximately two years. Initial disclosure put the scope at ~2.7 million records; over the following six months the scope expanded to 9.7 million current and former individual and SME members — effectively the entire Desjardins customer base.

The case became the defining Canadian insider-threat incident and is now the most-cited example in the Canadian Office of the Privacy Commissioner's guidance.

What happened

The insider was Sébastien Boulanger-Dorval, an employee of Desjardins's marketing department in Lévis, Quebec. Over approximately two years (2017–2019), Boulanger-Dorval:

• Accessed member records through legitimate marketing-department database privileges.
• Copied data onto personal storage media without raising operational red flags.
• Sold records to brokers connected to organised crime in Quebec, who in turn used the data for identity fraud and downstream criminal exploitation.

The data accessed and exfiltrated included:

• Names, addresses, phone numbers, email addresses
• Dates of birth
• Social Insurance Numbers (Canadian equivalent of SSN)
• Transaction histories and account-management details
• For business members: corporate identity and account details

Discovery

Discovery came externally, not from Desjardins's own controls. In June 2019, the Sûreté du Québec (Quebec provincial police) — investigating an unrelated organised-crime case — notified Desjardins that data from Desjardins members was circulating in their investigations. The fraud-pattern was specific enough that the source had to be inside Desjardins.

Desjardins's internal investigation rapidly identified Boulanger-Dorval. He was dismissed and referred for criminal prosecution. The investigation also revealed that Desjardins's existing data-access monitoring had not detected the systematic exfiltration, despite the volume.

Scope escalation

Desjardins's public scope estimates expanded over six months:

• June 2019: ~2.7M individual + 173K business members
• November 2019: 4.2M individual members (current and former)
• December 2019: 9.7M total (all Desjardins individual and SME members ever)

The repeated expansions damaged Desjardins's credibility and are a key reason the case is now used to illustrate the importance of conservative scope estimates in initial breach disclosures.

Impact

• 9.7 million Desjardins members and SME customers had personal information exposed.
• Lifetime identity-protection coverage committed by Desjardins to all affected members — a precedent at Canadian scale.
• Direct cost to Desjardins: ~$100M+ in remediation, member protection, and class-action provisions.
• Class action settlement: CAD $200M+ approved in 2022.
• Federal-Quebec joint privacy investigation report published December 2020, with binding compliance orders.

Prosecution

Boulanger-Dorval was arrested in May 2023, four years after the initial discovery, alongside two co-conspirators in the broker chain. The slow pace was attributed to the complexity of tracing how the exfiltrated data had been monetised across multiple Quebec-based fraud rings.

In January 2025, Boulanger-Dorval pleaded guilty to fraud, identity theft, and breach of trust. Sentencing remains pending. The case is one of the few major insider-threat breaches to result in a successful prosecution of the named insider — distinct from the more typical outcome where the insider exits the jurisdiction or the prosecution falters on evidence.

Why it matters

Desjardins is the canonical Canadian insider-threat case and the most-cited example in Canadian privacy regulator guidance. It established:

• That insider exfiltration over multi-year windows is operationally feasible at large financial institutions without conventional security controls detecting it. The marketing department's legitimate database access was sufficient cover.
• That external discovery via law enforcement is a common path for insider-threat detection. Few organisations have the internal controls to detect a determined patient insider; many breaches are surfaced because the downstream criminal use of the data attracts attention.
• That initial disclosure scope estimates should be conservative. Desjardins's three-stage scope expansion damaged credibility; the resulting practice guidance in Canada is now to assume larger scope and refine downward.
• That lifetime identity-protection coverage is a viable remediation at large scale, given a cooperative provider relationship. The Desjardins commitment has been cited in subsequent Canadian and U.S. breach settlements as an aspiration baseline.