Malicious insider leaks personal information of 2.9m Desjardins customers
21 June 2019
Memories of the Morrisons’ data breach that involved a vengeful employee leaking personal and financial information of nearly 10,000 Morrisons staff on the web in 2014 is still fresh in the minds of thousands of employees who were affected by the leak.
The data breach led to a long-drawn legal battle that culminated with the High Court in Leeds finding Morrisons vicariously liable for the malicious insider’s actions and directing the company to pay compensation to the affected employees whose bank account details and national identity numbers were compromised.
However, the Supreme Court recently allowed Morrisons to file an appeal against the previous ruling on grounds that the company spent a significant sum in mitigating the breach, indicating that for the affected employees, the legal battle is far from over.
The Morrisons’ experience demonstrates the impact a data breach can have on affected people, especially if those responsible for data leaks are company employees themselves. Similar incidents of malicious insiders leaking company data to unauthorised entities have forced companies to implement strong access controls and identity management protocols, but the war against such data leaks is far from over.
Insider leak compromises PII of 2.9 million Desjardins customers
Earlier today, news arrived that Desjardins, Canada’s largest credit union, failed to prevent the leak of personal information of as many as 2.7 million personal members and 173,000 business members. According to the company, the breach occurred when “an ill-intentioned employee” disclosed the massive data tranche to unauthorised individuals who were not members or employees.
The breach compromised first and last names, dates of birth, social insurance numbers, physical addresses, phone numbers, email addresses, and other details of home users and business names, business addresses, phone numbers, business owner’s name and AccèsD Affaires account usernames of business customers.
“We understand that this is a worrying situation. We sincerely regret the inconvenience it has caused. Your assets and accounts at Desjardins are protected—you won’t suffer a financial loss if unauthorized transactions are made in your Desjardins accounts as a result of this situation,” Desjardins said in a post on its website.
The credit union added that the data leak did not compromise passwords of home and business customers’ AccèsD accounts (possibly because they were salted or encrypted) and that it did not observe any spike in fraud cases involving its members’ accounts in recent months, indicating that the breach was restricted to customers’ personal information.
In order to reassure customers, Desjardins is offering a paid-for five-year credit monitoring plan to customers that includes daily access to credit reports, instant alerts of key changes, and identity theft insurance. At the same time, the company has changed the way it identifies customers in incoming calls to ensure fraudsters cannot take advantage of compromised information to impersonate customers.
“When just one employee, reportedly acting without acolytes, has an uncontrollable access to such a huge amount of confidential data and even manages to take it away, there is reason to believe that some of the internal security controls are broken,” says Ilia Kolochenko, founder and CEO of ImmuniWeb.
Data leak highlights increasing importance of security controls
“Human factor remains the largest and probably the most dangerous risk that cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences.
“Employee awareness and continuous education programmes, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks. However, a malicious employee is a much more complicated case.
“First of all, security teams are already overloaded with tasks, processes and endless alerts, and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically indistinguishable from legitimate daily work. Nonetheless, major incidents akin to this one, are usually easily detectable and preventable,” he adds.
Robert Ramsden-Board, VP of EMEA at Securonix, says that the Desjardins data leak is a good example of how devastating insider threats can be for organisations.
“One of the key challenges organisations face when detecting insider threats is trying to establish if the person accessing and extracting the data is doing this as part of their job, or with malicious intent. This is likely why Desjardins was only made aware of the breach after a warning from law enforcement officials.
“Today there are tools which banks and other organisations are recommended to deploy to help identify insider threats before any real damage occurs. These tools utilise machine learning to understand user behaviour and alert security teams when abnormal user activity occurs.
“Insider threats often get a lower level of attention and priority, however this incident demonstrates the consequences of such attacks can be significant. As a result, organisations are advised to give these types of attacks a bigger focus,” he adds.