Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

CyberAGroup recently discovered data released on the dark web that appears to contain customer information from the large Canadian financial institution Desjardins Group. The leaked dataset includes just over 50,000 records of personally identifiable information (PII), including names, physical addresses, social insurance numbers and phone numbers.

The ransomware group CoinbaseCartel is currently making ransom demands against Desjardins. Their ransomware site displays a popup that reads, "CRITICAL ANNOUNCEMENTS...DESJARDINS BANK UPDATE: We will release 500,000 records next week and maybe some of their internal correspondence depending on our mood. Stay tuned." The initial release of 50,000 records was described by the group as a "sample from their database since they think we don't have anything just wait till you see whats next".

Desjardins Group is the largest financial cooperative in North America and a leading provider of banking and insurance services in Canada. Founded in Quebec, Desjardins operates as a federation of credit unions and has a significant presence in Quebec and Ontario, as well as business activities across Canada and internationally.

While initially reported on the Dark web as a data breach that occurred in mid-September, it is possible the data is from an earlier incident. In 2019, Desjardins suffered a major leak when an employee stole the personal information of nearly 9.7 million customers, including names, addresses, and social insurance numbers. The breach was not a cyberattack on the company's systems but the result of an employee copying data onto USB drives. While the stolen data was leaked outside the institution and used by bad actors, evidence indicated it was not publicly released for mass public consumption but rather distributed in a more controlled, criminal manner.

This recent ransom story was carried by local media le journal de montreal on Oct 3 (https://www.journaldemontreal.com/2025/10/03/donnees-de-desjardins-sur-le-dark-web-barrer-votre-dossier-de-credit-peut-empecher-la-fraude) but they dismissed the ransom as a recycling of data taken in the 2019 compromise. After not being able to download the data, the report concluded that this new ransom was simply an attempt by the group to extort the bank and likely just a scare tactic.

Having participated in ransomware investigations and negotiations, we know ransomware groups can't be trusted. However, regardless of when and where the data came from, the current real public disclosure of 53,614 records of Canadians' personal information is problematic, and the potential threat of an additional 500,000 records is extremely concerning.