A rogue employee tore a 2.9 million-record-sized hole into his (now former!) employer’s hide, according to an advisory posted on Thursday by Canada’s Desjardins Group, the largest federation of credit unions in North America.
Desjardins has 7 million members. The leak, carried out by the since-fired employee, affected 2.7 million individuals and 173,000 businesses – about 41% of its clientele. The records were disclosed to unnamed people without authorization.
This was no breach, Desjardins said. It didn’t come under cyberattack, and its computer systems are just fine. This was the work of just one jerk. Or, as Desjardins described him, “an ill-intentioned employee who acted illegally and betrayed the trust of their employer.”
That person was fired.
The leaked information reportedly included names, birth dates, social insurance numbers, addresses, telephone numbers and email addresses, as well as information on banking habits – all of it illegally transferred to a third party.
Beware the fraudsters
That’s all good as gold to fraudsters. Quebec’s regulator of financial institutions, the Autorités des marchés financiers (AMF), warned on Friday that Desjardins members may be the target of phishing emails, text messages and telephone calls:
Fraudsters may be tempted to contact you to extract personal information under the pretext that they are doing so in connection with security measures or updates stemming from the incident.
Remember, the AMF said, Desjardins doesn’t ask for personal information by email, text or telephone. Be leery of phone calls that are purportedly related to this breach, and even if an email message looks like it came from Desjardins, don’t click on any links it may contain:
The AMF reminds you to never reply to e-mails, text messages or telephone calls asking for personal information, whatever the reason given. Contrary to what the fraudsters may try to make you believe, such e-mails and text messages do not come from your financial institution, even if they bear the institution’s logo.
Do not click on the Internet link that may appear, as it will direct you to a fake site mimicking your financial institution’s website in order to steal your personal information. Also be wary if you receive any unsolicited telephone calls in this regard.
Desjardins said that neither passwords, PINs nor security questions were leaked.
How long has this been going on?
According to CBC News, Desjardins called in the police after it saw a suspicious transaction in December 2018. It then took several months for the investigation to uncover the wide scope of the scheme. Police told the cooperative in May that some members’ personal information had been leaked, and Desjardins then undertook an internal investigation with the help of police in Laval, a Quebec city to the north of Montreal.
Claude Sarrazin, a security expert based in Montreal, told CBC that we’re missing a crucial piece of information: namely, who’s got the information?
Who has control over that information? The first thing we need to find out is where is the information – that wasn’t answered [on Thursday].
Desjardins said that it hasn’t seen a spike in fraud concerning members’ accounts since it uncovered the breach. It’s working with police on the ongoing investigation. The cooperative has also beefed up monitoring and security measures to protect members’ personal and financial information and is getting in touch with everybody who’s been affected:
We’re communicating directly with every member who’s been affected to explain what happened and what they can do.
As well, Desjardins said that it’s enhanced procedures to confirm people’s identities when they call.
Say hello to two class action suits
According to the Montreal Gazette, two proposed class action suits have been filed. One was filed in Quebec Superior Court on Friday on behalf of a Quebec City resident and is looking for compensation of up to $2.9 billion, as well as punitive damages of $290 million. That would be $300 for each affected credit union member, according to CBC News.
The second proposed suit doesn’t specify exactly how much compensation it’s after, although the plaintiff named in the suit is seeking $300 in punitive damages.
Both suits allege that the co-operative financial group failed to adequately safeguard its clientele’s personal and financial information.
Upping the credit-monitoring ante
According to the Montreal Gazette, when it first reported the breach on Thursday, Desjardins offered to foot the bill for one year of credit monitoring. That includes ” daily access to your credit report, alerts of key changes, and identity theft insurance.”
As of Friday, the cooperative had upped the ante, making the offer good for 5 years.
Pfft! scoffed one of the class action suits. It contends that Desjardins should shell out for 10 years of the monitoring, which typically costs $20/month.
How to protect your business from that one bad apple
You can have all the pricey security-fancy in the world, but this story is yet one more (painful) example of how much damage one “ill-intentioned employee” – and again, that’s French for “jerk” – can do.
Insider threats are real, whether we’re talking about cluelessness, avarice or malice. We’ve written about this quite a bit, particularly with regards to healthcare breaches. A few years back, Jonathan Lee, Sophos’s UK healthcare sector manager, wrote a post outlining five things healthcare organizations can do to better protect patient data. The tips can be applied to other sectors as well, including finance, so they’re worth revisiting:
1. Know your risk
The first thing to do is carry out a thorough risk assessment so that you know what threats you face, understand your vulnerabilities and assess the likelihood of being attacked. It’s only when that is complete that you can go on to the next stage of creating an integrated cybersecurity plan.
2. Follow best practice
Organizations too often spend money on cybersecurity solutions but then fail to properly deploy them. Make sure you’re following the recommendations for best practice when deploying your defenses.
3. Have a tried and tested incident response plan
Work on the assumption that an attack will happen and ensure you have a tried and tested incident response plan that can be implemented immediately to reduce the impact of the attack.
4. Identify and safeguard your sensitive data
It’s almost impossible to protect all your data all of the time, so identify the information you keep that would harm your organization if it were stolen or unlawfully accessed, and implement suitable data security procedures to ensure it is appropriately protected.
5. Educate employees
With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your cybersecurity plan must be to make sure all your staff know the risks they face and their responsibilities. Educating them is your job, and should be part of your plan.