Desjardins Group, Canada’s largest federation of credit unions with over 7 million members, disclosed in June 2019 that a malicious insider (a now-former employee) had been exfiltrating member data for approximately 26 months (from approximately January 2017 to March 2019) and sharing it with unauthorized third parties. The initial disclosure indicated 2.9 million members were affected; this was later expanded to 4.2 million — essentially all of Desjardins’ individual members. Stolen data included names, dates of birth, Social Security numbers (Social Insurance Numbers), addresses, phone numbers, email addresses, and banking habits information. Desjardins offered free credit monitoring for 5 years to all affected members. The Office of the Privacy Commissioner of Canada (OPC) investigated and in January 2020 found Desjardins had violated Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) by failing to implement adequate insider threat controls. Desjardins paid approximately $201 million CAD to settle class action lawsuits, one of the largest data breach settlements in Canadian history. The former employee, Sébastien Boulanger-Dorval, was arrested in 2019 and later pleaded guilty.