Friday, June 14, 2024

5 more arrests, including primary suspect, in connection with Desjardins data leak

CBC
Thu, June 13, 2024

The charges against those arrested on Thursday allege they committed their crimes between October 2016 and May 2019. (Paul Chiasson/The Canadian Press - image credit)


Quebec provincial police have arrested five more people with crimes tied to a massive data breach at Desjardins, including the former bank employee originally suspected of being behind the leak.

Four of them, three men and one woman, were arrested early Thursday morning, hours after Laval police announced arrests of their own tied to the case. Another man, Charles Bernier, turned himself into police later in the day.

Provincial police charged them with fraud, identity theft and the illegal possession and sale of personal information. One of the five, Sébastien Boulanger-Dorval, 42, was also charged with using a computer for fraud.

Boulanger-Dorval was the primary suspect in the leak. He worked at Desjardins on a marketing team at the time of the leak and allegedly justified selling the leaked data to pay debts.

In addition to Bernier and Boulanger-Dorval, police arrested and charged Jean-Loup Masse-Leullier, Laurence Bernier and François Baillargeon-Bouchard. Provincial police also issued arrest warrants for three other people: Maxime Paquette and Pablo Serrano, who police believe are hiding abroad, and Mathieu Joncas.

The charges against those arrested on Thursday allege they committed their crimes between Oct. 1, 2016, and May 27, 2019.

The Desjardins data leak was only revealed to the public in 2019 and the authorities only became aware in December 2018 when a suspicious transaction told them something was amiss.

Benoit Richard, the coordinator of broadcasting and media relations with the Sûreté du Québec, said it took years for investigators to make arrests because the investigation was complex and they wanted to make sure they had gathered all of the evidence they needed.

On Wednesday, Laval police announced three arrests of individuals alleged to be connected to the data breach.

Imad Jbara, 33, and Ayoub Kourdal, 36, were charged with fraud, trafficking in identity information and identity theft. The third suspect has yet to appear in court.

Laval police also issued an arrest warrant for a fourth suspect.

The data breach at the Quebec-based credit union is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 9.7 million people and businesses.

In a statement on Thursday, Desjardins said it was "very pleased arrests have been made."

"We would like to assure the authorities of our full cooperation in further proceedings," the statement said.

Five more arrests, including main suspect, in fraud, data theft at Desjardins

The Canadian Press
Thu, June 13, 2024 




MONTREAL — Quebec provincial police have arrested five people in connection with a multimillion-dollar fraud and the theft of data belonging to almost 10 million clients of the co-operative financial group Desjardins.

Among those arrested, police said Thursday, is the alleged architect of the scheme, Sébastien Boulanger-Dorval, 42, who worked in the marketing department at the financial institution until 2019, the year the theft was discovered.

The four other people arrested are Jean-Loup Masse-Leullier, 32, François Baillargeon-Bouchard, 35, Laurence Bernier, 29, and Charles Bernier, 31. They face charges including fraud, identity theft, and trafficking in identity information.

Police said arrest warrants have been issued for three other people allegedly involved in the crimes at Desjardins: Mathieu Joncas, 38, Maxime Paquette, 38, and Juan Pablo Serrano, 38.

At a news conference in Quebec City on Thursday, provincial police spokesman Benoît Richard said the investigation "shed light on how suspects obtained personal information, the ways in which this personal information was then traded between suspects and how these lists were sold to malicious individuals operating several fraud schemes."

On Wednesday, Montreal-area police said they arrested three other people connected to the case: Ayoub Kourdal, 36; Imad Jbara, 33; and an unnamed third person. Laval police said the three suspects used the stolen Desjardins data to commit fraud totalling $8.9 million between September 2018 and January 2019.

The Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec published scathing reports in 2020 that concluded Desjardins failed to show the level of attention required to protect its customers' data.

The OPC report said Desjardins notified the federal office on May 27, 2019, about a breach involving close to 9.7 million individuals in Canada and internationally. It found that Desjardins had been aware of the security weaknesses that led to the breach, but failed to address them in time. The breach occurred "over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police," the report said.

This report by The Canadian Press was first published June 13, 2024.


Quebec police arrest three in $9-million fraud, data theft case involving Desjardins
The Canadian Press
Wed, June 12, 2024 



MONTREAL — Montreal-area police announced Wednesday that they have arrested three people in connection with a major data theft and $8.9-million fraud involving the co-operative financial group Desjardins, some five years after the alleged crime.

Police in Laval, Que., said one of the suspects was caught with a list of personal data for 1.6 million Quebecers.

The arrests are tied to a 2019 data theft, described as the largest ever in the Canadian financial services sector, that targeted more than 9.7 million Desjardins clients in Canada and internationally, including almost seven million Quebecers.


Laval police deputy director of criminal organizations Jean-François Rousselle said the suspects were allegedly able to use the stolen personal information to get access to the clients' accounts through the bank's online banking platform, Accès D.

“These individuals used the data stolen from Desjardins in order to facilitate the conduct of their operations and to disperse funds in Canada, the United States, but also throughout the world," Rousselle said.

"The main method of operation was to obtain, via the Accès D service, a temporary password using the users' personal information that they had in their possession, to then proceed with transactions made directly from bank accounts via the web platform."

Police said the three suspects used the stolen data to commit fraud totalling $8.9 million between September 2018 and January 2019.

Thirty-six-year-old Ayoub Kourdal, and 33-year-old Imad Jbara were scheduled to appear in court Wednesday, while a court date for the third suspect has not been set. They face charges of fraud over $5,000, trafficking in identity information, possession of identity information, and identity theft.

Police said they are searching for a fourth person in connection with the fraud and data theft.

Rousselle said the investigation was one of the most complex in the force's history and involved the help of the Quebec provincial police and prosecutors.

It led to raids in Montreal, Laval and St-Augustin-de-Desmaures in 2019 that resulted in the seizure of a large amount of data and 70 pieces of computers and equipment containing thousands of documents and files.

The Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec published scathing reports in 2020 that concluded Desjardins failed to show the level of attention required to protect its customers' data.

The OPC report found that Desjardins had been aware of the security weaknesses that led to the breach, but failed to address them in time. The breach occurred "over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police," it found.

The leak was blamed on an employee of the marketing team who was able to access confidential information, despite not having the clearance level to do so, because other employees would copy the information onto a shared drive.

This report by The Canadian Press was first published June 12, 2024.

Stéphane Blais, The Canadian Press


Police arrest 3 in connection with massive Desjardins data breach
CBC
Wed, June 12, 2024 


Laval police criminal investigations assistant director Jean-François Rousselle announced Wednesday new arrests in the 2019 data breach that affected millions of customers. (Ivanoh Demers/Radio-Canada - image credit)


Laval police say they arrested three suspects Wednesday in connection to a massive data breach at Desjardins Group made public in 2019.

Imad Jbara, 33, and Ayoub Kourdal, 36, were charged with fraud, trafficking in identity information and identity theft. The third suspect has yet to appear in court.

An arrest warrant was also issued for a fourth suspect.

The data breach at the Quebec-based credit union is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 4.2 million people and 173,000 businesses.

A suspicious transaction in Laval in December 2018 tipped off Desjardins.

Laval, Que., police criminal investigations assistant director Jean-François Rousselle said one of the suspects had a list of 1.6 million Quebecers' personal information.

The leaked information includes names, addresses, birth dates, social insurance numbers (SINs), email addresses and information about transaction habits.

Using the personal information gathered, the scammers would get a temporary password to log into AccèsD, Desjardins' login portal, to then make fraudulent transactions directly from the victims' account, said Rousselle.

Business accounts were mainly targeted this way, and $8.9 million fraudulently transferred from Desjardins clients and was never recovered.

In a statement to Radio-Canada, Desjardins praised the work of police and said it would continue to co-operate.

Desjardins found negligent

In 2022, the Superior Court of Quebec approved a more than $200-million settlement of a class-action lawsuit related to the breach.

Reports by the Office of the Privacy Commissioner of Canada and the Commission d'accès à l'information du Québec, the province's access-to-information commission, said Desjardins failed to live up to its obligations and was negligent in safeguarding its members' personal and financial information.

The financial institution paid for a credit-monitoring plan through Equifax and offered identity theft insurance for affected members for five years, which is expiring soon.

The Desjardins employee behind the leak worked in the marketing team at its head office and had access to personal information his database access rights did not allow him to obtain, said the Commission d'accès à l'information.

This confidential information was stored in directories shared by all marketing team employees.

Police reports related to fraud increased by 20 per cent in 2023 in Laval, similarly to the rest of Quebec, according to Rousselle.

"Scammers are ingenious and are always innovating their strategies to get more money out of their victims," he said.

"No one is safe from fraud.… Never share your personal information, bank information or give money to someone without confirming their identity."

No comments:

Post a Comment