More than five years after massive leaks of personal information at Desjardins, the Laval Police Service (SPL) announced the arrest of three suspects.
The individuals arrested in the last hours would have participated in fraud totaling $8.9 million between September 2018 and January 2019, according to the SPL, which invited the media to a press conference on Wednesday.
Also, the police are “actively looking for a fourth individual for whom an arrest warrant has been issued,” indicated Jean-François Rousselle, deputy director at the Criminal Investigation Department.
Two of the suspects, Ayoub Kourdal, 36, and Imad Jbara, 33, are due to appear before a judge on Wednesday.
The third person arrested “is the subject of a promise to appear,” mentioned Jean-François Rousselle.
The suspects face charges of fraud over $5,000, trafficking in identifying information, possession of identifying information and identity theft.
“For example, the investigation revealed that one of the subjects had in particular in his possession a list of data targeting 1.6 million Quebecers,” explained the deputy director of the Criminal Investigation Department.
“These individuals used the data stolen from Desjardins in order to facilitate the conduct of their operating methods and to disperse funds in Canada, the United States, but also throughout the world. The main method of operation was to obtain, via the Accès D service, a temporary password using the users’ personal information that they had in their possession, to then proceed with transactions made directly from bank accounts via the web platform,” summarized the representative of the Laval police.
Jean-François Rousselle spoke of “a large-scale, complex investigation which required the involvement of the Sûreté du Québec and the Serious Crime and Special Affairs Bureau of the DPCP”.
The investigation led police to carry out searches in February, April and June 2019 in the cities of Laval, Montreal and Saint-Augustin-de-Desmaures.
“The searches allowed the seizure of a significant quantity of data and 75 judicial authorizations notably made it possible to seize more than 70 computer items requiring countless hours of analysis. This represents thousands of documents and computer files,” explained Mr. Rouselle.
“This is one of the most complex investigations we have faced in our history and I would like to congratulate all of our troops and our partners who have worked tirelessly over the past five years on this important investigative project. I would also like to thank the RCMP and the Sûreté du Québec for their collaboration in this matter, as well as Desjardins,” indicated Jean-François Rousselle.
Two damning reports
In December 2020, two damning reports about the data leak that affected more than 9.7 million people in Canada and abroad in 2019, including nearly 7 million Quebecers, concluded that Desjardins had not complied with several obligations imposed on it by the Act respecting the protection of personal information in the private sector.
The report from the Commission for Access to Information of Quebec underlined that the cooperative had “failed in its obligation to limit access to personal information, in particular that which is saved in shared directories”.
The Desjardins employee who caused the leak worked within the marketing team at Desjardins head office.
He had access to personal information that his access rights to the databases did not allow him to obtain, underlined the report of the Commission for Access to Information.
Contrary to the directives, this confidential information was located in directories shared by all employees of the marketing team.