Desjardins, a Canadian federation of credit unions, said a police investigation has uncovered that data belonging to almost 2.9 million personal and business members, was breached by a rogue employee, according to a notice to customers on the company website.

The information of 2.7 million personal members business members, included names, addresses, social security numbers, dates of birth, phone numbers, email addresses and details of banking habits were breached by the employee,who was fired. However, passwords, PINs, card numbers and security questions were not breached.

The compromised data of 173,000 business members included business names, addresses and phones numbers, the names of authorized users on the AccesD Affaires account.  

The company has sent letters to affected members and is offering up to five years of credit monitoring, which is paid for by the credit union and will include identity theft insurance, daily access to credit reports and alerts about any changes to the report.

The company has put additional monitoring in place and stepped up measures for confirming identity over the phone and in person. Canadian regulatory authorities were also notified, including the Office of the Privacy Commissioner of Canada. Laval police notified Desjardins on June 14th about the incident.