Desjardins Group: Another Slap on the Wrist from Lawmakers

This is getting ridiculous: companies continue to lose peoples’ personal data and no one seems to care to do anything about it. Where’d it happen at this time? The Desjardins Group credit union co-op, a financial institution that you’d expect would have some of the tightest controls to prevent this kind of breach.

According to CBC/Radio-Canada, this breach was not caused by the nefarious hacks that seem to frequent today, but rather by an insider – an employee who accessed the data of 2.9 million Caisse Desjardins members and decided to share the information outside of the company. Details are sparse, but supposedly the compromised information included “names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits,” but not passwords, security questions, nor PINs. Well there’s some silver lining: they only stole your personal information, not the information that would let money be withdrawn out of the credit union’s coffers. Doesn’t that make you feel better?

Let’s think for a moment about how this type of data breach would have been possible: First, the malicious insider had a nefarious reason to do it. Maybe it’s being sold? We’re not yet told who this data was shared with (or sold to) but if I was one of these members I’d be very concerned about identity theft right now. From an information security perspective the insider would have needed access to the databases containing this data. Or maybe they improperly accessed a backup copy of the data, stored without proper security controls? Then, they would have been able to obtain the data as well as share it without too many red flags being thrown up. Details are sparse, but if it was shared externally over the network then it apparently was not caught by any Data Loss Prevention (DLP) systems. If it was carried out on media such as a flash drive then there doesn’t appear to be much control around that. Thinking this through, it raises so many questions that need to be asked:

  1. Was the employee’s role one that would have given them access to this data? Or did they find a way around access controls?
  2. How did the action of downloading the data of 2.9 million users not throw up more red flags than it did? How was it allowed in the first place? Database queries to do this should have been setting off all kinds of alarms in any decent SIEM or IDS.
  3. Why did DLP or physical media controls not prevent the exfiltration of the data?
  4. Why was the data stored in an unencrypted format? The fact that some data was lost while other data was not suggests that the Desjardins Group, apparently, cares more about passwords/security questions/PINS more than it cares about the personal information of its 2.9 million members.

Despite the severity of this breach (and the apparent lack of security controls at a financial institution!) and other breaches like it, doesn’t it seem like lawmakers are not doing enough about it? CBC/Radio-Canada’s article states that “Quebec’s regulator of financial institutions, the Autorités des marchés financiers (AMF), described the situation as ‘very serious’ but said it is ‘satisfied with the actions’ taken so far by Desjardins Group” (para. 9). Sounds like Desjardins Group will just be getting a slap on the wrist to me. Maybe a small fine? In my opinion, organizations that fail to adequately protect consumer data should be fined in a massive way – one that sets examples for other companies – and the affected consumers should also receive direct financial compensation, not just the B.S. publicity stunt of being given a year of free credit monitoring. Money is what these companies know, and that’s what will make them start caring.

Leave a Reply