A rogue employee tore a 2.9 million-record-sized hole into his (now former!) employer’s hide, according to an advisory posted on Thursday by Canada’s Desjardins Group, the largest federation of credit unions in North America.
Desjardins has 7 million members. The leak, carried out by the since-fired employee, affected 2.7 million individuals and 173,000 businesses – about 41% of its clientele. The records were disclosed to unnamed people without authorization.
This was no breach, Desjardins said. It didn’t come under cyberattack, and its computer systems are just fine. This was the work of just one jerk. Or, as Desjardins described him, “an ill-intentioned employee who acted illegally and betrayed the trust of their employer.”
That person was fired.
The leaked information reportedly included names, birth dates, social insurance numbers, addresses, telephone numbers and email addresses, as well as information on banking habits – all of it illegally transferred to a third party.
Beware the fraudsters
That’s all good as gold to fraudsters. Quebec’s regulator of financial institutions, the Autorités des marchés financiers (AMF), warned on Friday that Desjardins members may be the target of phishing emails, text messages and telephone calls:
Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident.
Remember, the AMF said, Desjardins doesn’t ask for personal information by email, text or telephone. Be leery of phone calls that are purportedly related to this breach, and even if an email message looks like it came from Desjardins, don’t click on any links it may contain:
The AMF reminds you to never reply to e-mails, text messages or telephone calls asking for personal information, whatever the reason given. Contrary to what the fraudsters may try to make you believe, such e-mails and text messages do not come from your financial institution, even if they bear the institution’s logo.
Do not click on the Internet link that may appear, as it will direct you to a fake site mimicking your financial institution’s website in order to steal your personal information. Also be wary if you receive any unsolicited telephone calls in this regard.
Desjardins said that neither passwords, PINs nor security questions were leaked.
How long has this been going on?
According to CBC News, Desjardins called in the police after it saw a suspicious transaction in December 2018. It then took several months for the investigation to uncover the wide scope of the scheme. Police told the cooperative in May that some members’ personal information had been leaked, and Desjardins then undertook an internal investigation with the help of police in Laval, a Quebec city to the north of Montreal.
Claude Sarrazin, a security expert based in Montreal, told CBC that we’re missing a crucial piece of information: namely, who’s got the information?
Who has control over that information? The first thing we need to find out is where is the information – that wasn’t answered [on Thursday].
What now?
Desjardins said that it hasn’t seen a spike in fraud concerning members’ accounts since it uncovered the breach. It’s working with police on the ongoing investigation. The cooperative has also beefed up monitoring and security measures to protect members’ personal and financial information and is getting in touch with everybody who’s been affected:
We’re communicating directly with every member who’s been affected to explain what happened and what they can do.
As well, Desjardins said that it’s enhanced procedures to confirm people’s identities when they call.
Say hello to two class action suits
According to the Montreal Gazette, two proposed class action suits have been filed. One was filed in Quebec Superior Court on Friday on behalf of a Quebec City resident and is looking for compensation of up to $2.9 billion, as well as punitive damages of $290 million. That would be $300 for each affected credit union member, according to CBC News.
The second proposed suit doesn’t specify exactly how much compensation it’s after, although the plaintiff named in the suit is seeking $300 in punitive damages.
Both suits allege that the co-operative financial group failed to adequately safeguard its clientele’s personal and financial information.
Upping the credit-monitoring ante
According to the Montreal Gazette, when it first reported the breach on Thursday, Desjardins offered to foot the bill for one year of credit monitoring. That includes ” daily access to your credit report, alerts of key changes, and identity theft insurance.”
As of Friday, the cooperative had upped the ante, making the offer good for 5 years.
Pfft! scoffed one of the class action suits. It contends that Desjardins should shell out for 10 years of the monitoring, which typically costs $20/month.
How to protect your business from that one bad apple
You can have all the pricey security-fancy in the world, but this story is yet one more (painful) example of how much damage one “ill-intentioned employee” – and again, that’s French for “jerk” – can do.
Insider threats are real, whether we’re talking about cluelessness, avarice or malice. We’ve written about this quite a bit, particularly with regards to healthcare breaches. A few years back, Jonathan Lee, Sophos’s UK healthcare sector manager, wrote a post outlining five things healthcare organizations can do to better protect patient data. The tips can be applied to other sectors as well, including finance, so they’re worth revisiting:
1. Know your risk
The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.
2. Follow best practice
Organizations too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practice when deploying your defenses.
3. Have a tried and tested incident response plan
Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan that can be implemented immediately to reduce the impact of the attack.
4. Identify and safeguard your sensitive data
It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed, and implement suitable data security procedures to ensure it is appropriately protected.
5. Educate employees
With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.
Simon McAllister
Was this the work of an individual with access to the IT systems? Or can any employee in that organisation lookup and export such a large scope of information? If it was the latter, I’d say the organisation could have prevented this, as access to information held in databases such as CRM systems should be limited so that individuals cannot walk away with such valuable (and damaging) chunks of it.
ITZec
I agree. If proper controls, segmentation, permissions/access, and DLP were in place, this employee theoretically shouldn’t of been able to extract this much confidential data. Only way I can picture it happening is if they were a CyberSecurity Admin and could cover their tracks, or the company simply didn’t have the proper security controls in place.
Eric Ste-Marie
Even if the user had access to the IT system, safeguards are possible. For instance. Database protection with an HSM prevents a sysadmin from accessing unencrypted data, when the HSM and keys are managed by Secops. As for the DBA, only give them terminal access to the environment, allowing only display and preventing data downloads.
Matt Parkes
If this was the former however, this is where the trickiness lies, an authorised user who performs and illegal or unauthorised action, you need a way of monitoring what users are doing and try and stop actions that are outside the norm, but how would you know if it was outside of the norm until someone questioned the action and by that time it’s too late. Is the system being used to perform the action in-house or off the shelf is their controls in place which would ask the question before the action is allowed to happen?
fred touchette
Wait,…that employee was just fired?!
anne
Do you really think it is a one person job???
Common!!! Don’t be such a fool! It is the work of a well organized group and this is the information that Desjardins is keeping from everybody.
BT
Also, it seems they know who the person was, so has there been any criminal charges or is the company itself stocking it up to whoops, our bad for letting an employee do that?
Anonymous
It was a marketing consultant using a stratagem to be able to get the data
Anonymous
No disclaimer on offer equifax. It is free but do you still have right to legal action if damaged?
Anonymous
Today is June 7 2020 – I just received a letter this past Friday from Desjardin on this situation!!! What took so long? I cancelled my dealing with Desjardin three years ago so why would they have the need to retain my personal information and history on file! All such information could have been deleted from their register long ago! Whether or not you are currently in a relationship, or if you share a past history with Desjardin, you’re exposed!
Dennis Reilley
Was the fraudster/data thief ever caught? Hasn’t been a peep in the press since 2020. Dated 16 june 2021
Paul Ducklin
The Canadian Privacy Commissioner published a report at the end of 2020, more than a year after this article was published… Desjardins came under the pump in that report, but I am not sure what happened, if anything, to the person who was allegedly responsible.
According to this story they got sacked (which implies their identity was known) but whether they were ever charged, or even deemed to have any criminal liability, I do not know.