Desjardins Group said Thursday the personal information of more than 2.9 million of its members has been shared with individuals outside of the organization.
The Quebec-based financial institution said the breach affects 2.7 million individual members and 173,000 business members.
It said the situation is the result of unauthorized and illegal use of its internal data by an employee who has since been fired.
Desjardins noted the incident was not the result of a cyberattack and that its computer systems were not breached.
“We regret this situation and are making every effort to ensure that it doesn’t happen again,” Desjardins Group chief executive Guy Cormier said in a statement.
Desjardins said personal members may have had several pieces of personal information released including their name, date of birth, social insurance number, address, phone number, email address and details about their banking habits.
The company said passwords, security questions and personal identification numbers were not compromised.
Business members had information such as their business name, addresses, telephone numbers and owner names and AccesD Affaires account users exposed.
Desjardins says it was working with police and has implemented additional security measures.
As a precaution, it says it is also offering to pay for a credit monitoring plan and identity theft insurance for 12 months for affected members.