The main suspect in the massive theft of confidential data at Desjardins asked for money to sit down to eat, reveal decapitated documents made public on Monday.
Posted at 4:03 p.m.
Sébastien Boulanger-Dorval initially refused to give the Mouvement’s investigators the names of those who allegedly bought the stolen information, according to affidavits filed in court. “He specifies that he wants a financial collaboration agreement with Desjardins and that after that he will collaborate”, indicates the statement of a detective from the Laval police, filed to obtain a search warrant in 2019.
The former employee in the Movement’s marketing department also had other conditions, according to another statement, from the Sûreté du Québec (SQ), this one also made public. He would have “begged” to be able to obtain employment insurance after his dismissal and “to not have any criminal charges”.
Sébastien Boulanger-Dorval also asked Desjardins not to do “any media coverage of the event in exchange for the name of the company to which he sold information”.
The Movement’s investigators, however, no longer needed his help to find out who had bought the information. They had already found documents in his office in a database for Prêt Argent 500. Until the Laval police searched its premises in Montmagny in June 2019, this company had as president Jean-Loup Leullier-Masse, now suspected of having got hold of the stolen data.
Desjardins then seized its employee’s computer equipment on May 26, 2019 under a rare procedure, an Anton Piller order, which allows a civil party to make a search. Around midnight the same evening, Sébastien Boulanger-Dorval agreed to speak with three investigators from the Mouvement at the head office in Lévis.
He then indicated that he had experienced “alcohol problems” after a separation which caused him “financial pressures”, according to the statement from the SQ. This is how he came to sell Desjardins data.
Passports and IDs
In addition to the personal and financial information on Desjardins Group clients, Sébastien Boulanger-Dorval would have had in his possession “a file which contained passport numbers or identity documents”. “It was impossible to confirm that these files came from Desjardins,” the SQ statement read.
The Mouvement’s investigation determined that Sébastien Boulanger-Dorval had used USB keys to illegally download confidential data from his network. In all, he would have connected no less than fifty to the laptop provided to him by his employer, notes the police.
In a telephone that the Movement seized, one of its employees found “15 photos of passwords”, associated in particular with “Doiron”, “Franc” and “JL”. These names and initials seem to correspond to three suspects in the investigation: Nicolas Doiron, François Baillargeon-Bouchard and Jean-Loup Leullier-Masse.
To this day, neither they nor Sébastien Boulanger-Dorval have been charged.
Hard relations with private investigators
Once again, the documents show the difficult relations that the SQ had with the investigators who worked on behalf of Desjardins, in particular those of the American cybersecurity firm Mandiant.
One of its experts, Martin Tremblay, refused to allow the police to film his interrogation. He invoked his confidentiality agreement to refuse to answer questions about the internal investigation.
In October 2020, a person whose name is still redacted said that “everything is privileged concerning Mandiant since they were mandated by the firm McCarthy Tétrault”, the external lawyers of Desjardins.
Even today, the Movement refuses to waive this privilege, according to what a spokesperson explained in an email to The Press.
“We have given the police the information that was necessary to charge the person who should be charged. […], writes Chantal Corbeil. However, some information, including that held by Mandiant, is either privileged or not necessary for the police investigation because it relates to our internal strategies. »
In another passage of its statement, the SQ points out that Desjardins considered that the number of victims of data theft was also a “privileged element”. The document suggests that the police only knew the total number of people affected (9.7 million) when the Commission d’accès à l’information made public its report on the events, in December 2020.