Canadian fugitive arrested in Spain following major Desjardins data leak

A man wanted by the Quebec Provincial Police in connection with the massive breach of Desjardins data which affected nearly 10 million customers was arrested in Spain after evading authorities for more than a year.

The Quebec Provincial Police announced Tuesday that Juan Pablo Serrano, 40, was arrested by Spanish authorities on November 6, 2025, following a joint operation involving the Spanish police, the Sûreté du Québec (SQ) and Interpol.

Serrano had been wanted since June 2024 by the SQ’s financial and cybercrime units for theft and resale of personal information belonging to the 9.7 million customers of Desjardins Group, one of the largest financial institutions in Canada.

Police allege Serrano purchased the stolen data from a former Desjardins employee and used it for various fraudulent schemes.

“This was not a hack like most people think, but an insider threat, which meant this person had way too much access,” cybersecurity expert Terry Cutler told Global News on Tuesday.

Interpol had issued a Red Notice – a request to police around the world for help in finding and temporarily detaining a person pending extradition or surrender – for Serrano’s help in locating them internationally.

Quebec police say he was considered one of the province’s most wanted fugitives.

Authorities say Serrano will remain detained in Spain while extradition proceedings are initiated to return him to Canada.

Once he returns home, he is expected to face multiple charges, including identity theft, trafficking in identity information and fraud over $5,000.

The SQ credited the Spanish authorities, Interpol and several national and international partners for this arrest, in particular the field office of the American secret services in Ottawa and its resident office in Madrid, “whose contributions were decisive in the success of this operation”, indicated the SQ in a press release.

The Desjardins data breach, first discovered in 2019, exposed the personal information of millions of customers and has been described as one of the largest privacy breaches in Canadian history.

The breach occurred over a period of more than two years before the financial institution became aware of it.

Several arrests made, scathing conclusions regarding the protection of privacy in the Desjardins affair

Five other suspects were arrested in June 2024 in connection with the affair, including the alleged architect of the scheme, Sébastien Boulanger-Dorval, 42, who worked in the marketing department until 2019.

Current trend

• Mickey Rourke’s team turns to GoFundMe to ‘prevent eviction’ over unpaid rent

• “An Unstable White House”: What Shaped Responses to the US Attack in Venezuela?

The other four were Jean-Loup Masse-Leullier, 32, François Baillargeon-Bouchard, 35, Laurence Bernier, 29, and Charles Bernier, 31.

At the time, police said arrest warrants had been issued for three other people suspected of being involved in the fraudulent scheme: Mathieu Joncas, 38, Maxime Paquette, 38, and Serrano.

Authorities said three other people were arrested between September 2018 and January 2019: Ayoub Kourdal, 36, Imad Jbara, 33, and a third unnamed person.

The ages of the suspects were provided by police in 2024.

The Office of the Privacy Commissioner of Canada and Quebec’s Commission d’access à l’information published scathing reports in 2020 concluding that Desjardins had not demonstrated the level of attention required to protect its customers’ data.

The report indicates that Desjardins informed the federal office on May 27, 2019 of a breach involving nearly 9.7 million people in Canada and abroad.

She concluded that Desjardins was aware of the security flaws that led to the breach, but failed to remedy them in time.

–with files from The Canadian Press