Listen to this article
Estimated 3 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Juan Pablo Serrano, wanted since June 2024 in connection with a massive Desjardins data breach, was arrested in Spain, according to a news release published Tuesday by Quebec provincial police.
Serrano was arrested on the evening of Nov. 6, 2025 thanks to a joint operation between Spanish authorities, provincial police and Interpol, according to the release.
He was among the most wanted fugitives in Quebec and is wanted by the financial crimes and cyber crime investigation division as part of Project Portier, a large investigation into the Desjardins data breach.
The investigation began after it was revealed that the personal information of millions of Desjardins Group members had been shared with individuals outside the financial institution.
To locate Serrano abroad, provincial police say Interpol issued a red notice — a request to law enforcement worldwide to locate and arrest someone pending extradition.
Serrano is currently detained in Spain, and upon his extradition to Canada will face three charges: identity theft, fraud exceeding $5,000 and trafficking in identity information.
In June 2024, provincial police posted information about the 40-year-old fugitive online, saying he allegedly purchased Desjardins members’ and customers’ data lists through another man, Sébastien Boulanger-Dorval, and executed various fraud schemes with Desjardins data.
Juan Pablo Serrano, pictured in an image on the provincial police’s website, was listed as one of the most wanted fugitives in the province. (Sûreté du Québec)
That month, Boulanger-Dorval was arrested and charged with fraud, identity theft and the illegal possession and sale of personal information, along with using a computer for fraud.
Boulanger-Dorval was the primary suspect in the investigation. He worked at Desjardins on a marketing team at the time of the breach and allegedly sold the leaked data to pay debts.
WATCH | In 2024, we looked at whether your banking data was more protected:
Is your banking data any safer 5 years after the Desjardins breach?
Financial institutions have added more safeguards over the years. While experts say your information will always be at risk, there are steps you can take to protect yourself.
The Desjardins data breach was revealed to the public in 2019, and authorities only became aware in December 2018. The data breach at the Quebec-based credit union is thought to be one of the largest ever among Canadian financial institutions, affecting roughly 9.7 million people and businesses.
On Tuesday, the Sûreté du Québec (SQ) underlined the operation to find and arrest Serrano was thanks to a collaboration between national and international partners, including the contributions of the U.S. Secret Service Ottawa Field Office and the Madrid Resident Office.
In an emailed statement to CBC News, Desjardins said it is pleased to hear about the arrest and reiterated its collaboration with the authorities. It added its members and clients can benefit from the financial institution’s identity protection.