A Quebec private lender at exorbitant rates was the victim of a massive data leak in May 2024 without informing the authorities or the 150,000 people affected.
• Read also: False signatures: Desjardins still embarrassed
• Read also: Protection of personal information: no need to give your name and phone number to buy a pair of stockings, warns a cybersecurity expert
Ultrasensible information, such as social insurance numbers, bank statements and full addresses circulate today in criminal networks.
The company in question, Management Kronos, operates a dozen “rapid” loan websites often used by Quebecers in difficult financial situations.
A loan of $ 500 must be reimbursed by 16 weekly payments of $ 52.28, or $ 836.48 or 67% of interest. Screenshot of the preformula.ca site
The company’s silence is unacceptable for cybersecurity expert Stéphane Auger. According to him, this represents “a lack of blatant ethics at the expense of the victims”.
The leak would have been orchestrated by a notorious pirate nicknamed “Chucky”, active in Russian -speaking forums, which published the stolen database on a clandestine site. Although it is now offline, screenshots show that the information on display include names, NAS, addresses, bank statements, payroll sheets and even the sums borrowed.
The IT pirate nicknamed “Chucky” announced his lacin in May 2024. screenshot of the Leakbase site
However, the law obliges companies to quickly report this kind of incident to the information access commission and to prevent the persons concerned. But Kronos, founded by Maxime William Martin, was silent. No alert, no notification.
“Some companies prefer to collect a two -day media scandal rather than risking a fine of up to $ 10 million,” breathes a well -informed observer from the file.
-Result: victims are already targeted by fraudulent emails where sender pretend to be Kronos and threaten reprisals in the event of non-payment.
Kronos customers have been complaining online since the beginning of April 2025. screenshot of the Fraude-alerte.ca site
To obtain a loan from Kronos, customers must transmit their bank data via an instant verification system provided by Flinks, a company belonging to the National Bank. It is unlikely that the bank was informed of the breach, according to our sources.
“Just with a name, address and email, you can launch massive phishing campaigns. And here, fraudsters have much more, ”insists Stéphane Auger.
screenshot of the Leakbase site
Kronos did not respond to interview requests. Meanwhile, 150,000 Quebecers still ignore that their digital life may already be in bad hands.
A police, but no fine
Since September 22, 2023, the Information Access Committee (CAI) can impose sanctions of up to $ 25 million or 4% of the global turnover of a company. These fines apply in particular in the event of an undeclared security incident or when a serious risk of damage is ignored. Aggravating factors include the repetition, the sensitivity of the data or the omission of protective measures. Despite 531 declared incidents, no sanction has yet been imposed.
Law 25 Bafouée
Law 25 was designed to protect citizens in the event of data leakage, forcing companies to inform victims quickly. However, in the case of Kronos, around 150,000 people have never been informed that their personal information had been compromised. According to Stéphane Auger, this omission constitutes a serious fault and a clear violation of the law.
The 11 Kronos management sites involved
Do you have any information to communicate to us about this story?
Write us to the address or call us directly at 1 800-63SCOOP.
