The largest federal banking firm in North Americas – Canada’s Desjardins Group, was the victim of a recent data breach that exposed information on 2.9 million customers.
Customers’ sensitive credentials weren’t compromised, but the leak did reveal sensitive data like names, addresses, birth dates, social insurance numbers (Canada’s equivalent of the social security number), email addresses and information on transaction habits for individual members. Corporate customers saw their business names, phone numbers, names of owners and their Accès D’ Affairs account users exposed.
The massive data leak wasn’t the result of an outside hacker or threat actor, but a bank employee – someone within the company’s IT department who decided to go rogue and steal high-value personal information from the bank. It’s easy to think of data breaches as the fault of hackers lounging over laptops somewhere distant, but sometimes the real threat doesn’t need to break in. He’s inside the building with access to the bank’s systems and sensitive data already.
Working in the company’s IT department, the malicious insider behind the Desjardins Group breach already had some level of privileged access and it’s likely that this is what he abused to access member’s personally-identifiable information (PII). What’s not as clear is why this activity wasn’t detected earlier. An early report from CBC states that it took several months to learn of the scope of the data-gathering scheme, a troubling trend that doesn’t seem to be going away.
Apparently, the malicious insider in question used their own access and the privileged access of others to assemble the data trove. No matter what tactics or techniques were used by this attacker, foundational measures such as a properly architected privileged access security solution and multi factor authentication likely would have thwarted the malicious insider from securing unauthorized access to the privileged credentials of his colleagues.
While the malicious insider has been fired, much of the damage has already been done. Desjardins first noticed a suspicious transaction all the way back in December 2018, but only recently learned the full scale of the breach. During that period of time, Desjardins collaborated with the police to investigate the suspicious transaction, discover the extent of the data breach, the identities of those affected and find the culprit. (He has since been arrested, but as of writing, has not been charged with the crime.)
In the meantime, Desjardins Group has promised to reimburse its members for any losses stemming from this data breach and to provide them with 12-month credit monitoring plans. While Desjardins Group hasn’t released the figures accounting for the damage, a breach with this level of notoriety will likely be costly – especially in terms of long term brand damage and consumer trust. According to a study by Comparitech Ltd., public companies that have suffered a data breach underperform the Nasdaq by 15.6% three years after they reveal the breach.
While insider threats can be more difficult to identify, especially in a case where the user had privileged access rights, having a solution in place to monitor for unusual and unauthorized activities that can take automated remediation steps as needed can help reduce the amount of time it takes to stop an attack and minimize data exposure.