‘Malicious’ employee stole 10 million Canadians’ sensitive information over two-year period
A data breach at Canadian financial firm Desjardins, which leaked nearly 10 million customers’ personal information, has highlighted the ongoing risk of insider threats against organizations of all sizes.
Desjardins, a financial management firm based in Levis, Quebec, disclosed the data security incident in 2019.
The breach, which spanned two years, was the result of “unauthorized and illegal access” to data by a “malicious” employee, says the firm.
Desjardins initially claimed that 2.9 million people were affected, but later revised this figure to 4.2 million. It eventually transpired, however, that 9.7 million were affected.
‘Series of gaps’
Yesterday (December 14), Canadian Privacy Commissioner Daniel Therrien said the incident “was caused by a series of gaps in administrative and technological safeguards”.
A report by the Office of the Privacy Commissioner of Canada (OPC) concluded: “The investigation into the breach at Desjardins sheds light on the risks of internal threats, whether they are intentional or not.
“The OPC stresses the importance of vigilance and a holistic approach to addressing and mitigating the impact of such threats.”
The report found that for at least 26 months, an employee was exfiltrating sensitive personal information collected from customers who had purchased or received products offered directly or indirectly by the organization.
Desjardins offers insurance cover, mortgage rates, loans, and credit cards among other services, meaning that financial information was potentially exposed.
Insufficient data protection
The OPC claims that Desjardins did not sufficiently protect this data in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which states that personal information must be protected by security safeguards appropriate to the sensitivity of the information.
A statement reads: “This information was originally stored in two data warehouses to which the malicious employee had limited access. However, other employees, in the course of fulfilling their duties, would regularly copy that information onto a shared drive.
“As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so.
“While these practices violated the financial institution’s policies, the technological measures in place to prevent these situations were lacking at the time of the breach.”
The investigation concluded that:
- Desjardins failed to ensure the proper implementation of its policies and procedures for managing personal information, some of which were inadequate to begin with.
- From a technological standpoint, the access controls and data segregation of the databases and directories were inadequate.
- Employee training and awareness were lacking considering the sensitive nature of the personal information the organization was entrusted with.
- Desjardins had not implemented retention periods or procedures regarding the destruction of personal information.
Desjardins agreed to a number of security improvements, including revising its data destruction practices. It will also report to the OPC every six months, and will employ external auditors who will submit reports to the OPC.
Daniel Therrien, privacy commissioner of Canada, said: “Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
“The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the mitigation measures offered to those affected and the commitments made by Desjardins.”
How can you protect against insider threats?
Incidents such as the Desjardins data breach act as a clear indication that organizations should remain vigilant over the risk of insider threats.
Calvin Gan, manager of the F-Secure Tactical Defense Unit, told The Daily Swig that while most companies may look into protecting against external threats, they sometimes fail to look at the internal risk.
“Misconfigurations on internal systems, employee not being aware of data sensitivity, or even files left in shared drives with the assumption that no one else would access them, often provide false sense of security,” Gan said.
“Privilege access abuse is something that is common when there’s a rogue employee in the picture, this is often forgotten. Accesses are always a double-edged sword.”
Gan advised companies to ensure there are strong mitigations in place to stop any nefarious activity being committed by employees.
He also recommended “empowering” employees by offering training on how to protect an organization’s information and any data entrusted onto them.“Employ a zero-trust policy and always have proper authentication measures in place,” said Gan.
“Strong encryption method should be enforced on all systems. The intention of this is to ensure a system will always be verifying the authenticity of the access and the person involved.
“Access rights have to always be audited, revoked, reassigned and monitored, more so if the organization has a high turnover rate.”
He added: “File access or downloads from IT systems should always be monitored, especially when large batches of data are being downloaded. This could indicate an exfiltration of data is in progress.”