Quebec-based Desjardins Group says the information of more than 2.9-million of its members has been shared outside of the organization by an employee.
The leaked information includes names, date of birth, social insurance numbers, addresses, phone numbers, email addresses and details about banking habits.
Passwords, security questions and personal I-D numbers were not compromised.
Desjardins says this was not a cyberattack and that its computer systems were not breached, and that the employee responsible for the data leak has been fired.
The company says those affected includes 2.7 million individual members and 173,000 business members.
Desjardins is working with police and has implemented additional security measures.
It's also offering to pay for a credit monitoring plan and identity theft insurance for 12 months for affected members.
Its chief executive says the company regrets that the personal information of millions of its members has been shared and is taking steps to make sure it doesn't happen again.