After the arrests of the Laval police on Wednesday, the Sûreté du Québec handcuffed the number one suspect in the data theft case at Desjardins, Sébastien Boulanger-Dorval. Charges also target seven other people as part of the Portier project over the data leak that potentially affected 9.7 million customers. Two of them are considered “on the run.”
Boulanger-Dorval, 42, is accused in particular of having “fraudulently obtained computer services”, of having had in his possession “information about another person” with the intention of committing a crime, of having retransmitted this data, as well as fraud, between October 2016 and May 2019.
The SQ also caught Jean-Loup Leullier-Masse, 32, François Baillargeon-Bouchard, 35, Charles Bernier, 31, and Laurence Bernier, 29. They must appear to answer the same charges, except the first.
Mathieu Joncas, 38, has not yet been located.
Police also issued arrest warrants for Juan Pablo Serrano, 38, and Maxime Paquette, 38. “On the run abroad, they are now among the most wanted criminals in Quebec,” mentions the SQ.
“They knew that one day we would be looking for them,” said Benoît Richard, spokesperson for the SQ, at a press conference. These people have no intention of returning to Quebec.
According to the arrest warrants for them, Paquette lives in Playa del Carmen, Mexico, while Serrano’s home is “unknown.” Both are charged with fraud over $5,000 and possessing confidential information about another for the purpose of committing a crime, from November 2017 to November 2020.
In a second mandate, Paquette is also accused of having had this information later, in June 2021.
The project required “more than 25 searches,” “more than 160 meetings with witnesses” and the seizure of “120 computer items.”
“You know, 9.7 million people potentially defrauded, this is a very large-scale investigation, very complex for the SQ,” underlined Benoît Richard.
The police notably had to go through a laborious protocol to gain access to the evidence collected on Desjardins’ own premises in February 2021, without compromising the confidentiality of client data or violating lawyer-client privilege, for example.
The SQ wanted to point out that stolen information is still circulating. “As soon as the list is available and sold to third parties, it becomes extremely complex to know who has taken possession of it, who has it,” insisted Benoît Richard. As we speak, it is unlikely that this list will ever be secure. »
The police therefore call on the population to “remain vigilant”.
According to what police documents filed in court have allowed us to learn so far, Sébastien Boulanger-Dorval would have sold stolen information on millions of customers to Jean-Loup Leullier-Masse, a private lender from Montmagny then in business with Charles Bernier.
The latter then allegedly resold part of the information to Mathieu Joncas, a mortgage broker already sentenced in 2022 by the profession’s watchdog to fines totaling $36,000 and 420 days of suspension. The businessman, who is also a private lender, admitted to having acquired information on “150,000 to 200,000” Desjardins clients before the disciplinary committee of the Organisme d’autoréglementation du courtageimmobilier du Québec (OACIQ) .
His partner and insurance broker, François Baillargeon-Bouchard, was fined a total of $40,000 for buying data on 40,000 clients and obstructing an investigation by the Financial Markets Authority.
As for Juan Pablo Serrano, a repeat fraudster, the SQ suspects him of having carried out fraud using information stolen from Desjardins, with the complicity of Maxime Paquette, his roommate at the time, according to police documents filed in court to obtain search warrants in recent years.
In September 2019, police seized a computer from their home containing no less than 3.85 million lines of data on Desjardins customers.
In a press briefing, the SQ specifies that the theft of data enabled fraud of “several millions”.
On Wednesday, the Laval police announced the arrest of three people in connection with fraud totaling 8.9 million, carried out by AccèsD using information from data theft, as part of its Glaive project. This investigation is at the origin of the main Portier investigation of the SQ, which deals with the data theft itself. A fourth person was still being sought at the time of the press conference.
These are the first major developments after the announcement of a massive data theft at Desjardins on June 20, 2019.
The Movement initially announced that it had data on 2.9 million customers stolen. He then revised this figure upwards several times. In December 2020, privacy commissions concluded that the theft potentially affected 9.7 million individuals and businesses.