Canadian financial services co-operative Desjardins has confirmed that a rogue employee stole and disseminated the personal information of more than 2.9 million members.
Desjardins was only made aware of the breach when it was contacted by the police in June.
The stolen data, which compromises 2.7 million individual accounts and 173,000 business members, includes first and last name, date of birth, social insurance number, address, phone number, email address and details about individual banking habits and Desjardins products. The firm says that passwords, security questions, and PINs were not compromised.
"This situation is the outcome of unauthorised and illegal use of our internal data by an employee who has since been fired," states Desjardins. "In light of these events, and given the circumstances, additional security measures were put in place on all accounts."
As well as enforcing new measures to tighten access to data internally, Desjardins says that clients will henceforth be subject to new security checks for confirming their identity in person and over the phone.
Guy Cormier, president and CEO of Desjardins group, says: "I'd like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud. If they suffer a financial loss as a result of this situation, they will get their money back. We regret this situation and are making every effort to ensure that it doesn't happen again."