A Data Breach at Desjardins Exposes the Personal Information of 2.9 Million of Its Members
In the aftermath of a data breach, the affected organizations usually issue official statements which are supposed to give people more information on what has happened. The wording does tend to get a bit fuzzy when the company gets to the point where it explains what has been done to ensure that no such incidents happen in the future. In the data breach notice that Desjardins Group issued yesterday, however, this particular bit is especially vague. Before we find out why, let's see what really happened.
Desjardins loses the data of 2.9 million of its customers
On June 14, Desjardins was contacted by Canadian law enforcement officers who had seen data that belongs to the credit union federation being transferred outside its systems. Desjardins started an immediate investigation and found out that someone had indeed made off with about 2.9 million customer records.
The leaked data belongs to 2.7 million individual customers (this is about 7% of Canada's entire population) and about 173 thousand businesses, and thankfully, the really sensitive banking details are not among it. Desjardins was quick to point out that passwords, PINs, security questions, and credit and debit card details were not affected by the breach. That said, some personally identifiable information was compromised.
For individual users, this included names, dates of birth, social insurance numbers, email and physical addresses, and data on how they have used Desjardins' products and services. The leaked data for businesses comprised of business names, phone numbers, addresses, and personal information of the people who had access to the corporate accounts.
Affected individuals can sign up for a 12-month credit monitoring plan paid for by Desjardins, and to minimize the chance of identity theft, the financial institution has updated its verification procedures. Although it didn't lose any banking information, Desjardins promised that customers who can prove that they have suffered monetary loss as a direct result of the breach will get their money back. The Autorité des marchés financiers, Quebec's financial regulator, said that it's "satisfied" with the way Desjardins is handling the "serious situation".
Why, then, did we mention that the data breach notification isn't incredibly specific on the precautions that should prevent similar incidents?
A single disgruntled employee was responsible for everything
Finding out what had happened wasn't a long process. After a quick investigation, Desjardins realized that it hadn't been the target of a cyberattack. The breach was caused by an unhappy employee who "betrayed the trust of their employer" and leaked the data. In other words, Desjardins' defenses were brought down from the inside.
This is the root of the problem. The people who wrote Desjardins' data breach notice didn't point out what the company has done to eliminate this particular threat because doing it is simply not possible.
If the modern world is to continue working the way it's working now, employees like the one responsible for the Desjardins data breach need to have access to people's personal information. Most of them will turn out to be honest and diligent, but inevitably, some of them will go rogue, and people's details will end up in the wrong hands. The really sad-but-true moment is that other than staying vigilant, there's not much you can do about it.