Data Breach at Canadian financial service firm Desajardins

December 18, 2020 Video Bytes Leave a comment 546 Views

Headlines: Series of gaps allowed massive data breach at Desjardins.

Canadian financial firm Desjardins suffered a major data breach compromising nearly 10 million customers’ personal information. Desjardins confirmed involvement of there employee behind the leak and indicated such insider threat a common problem among company of all sizes.

Desjardins, a financial management firm based in Levis, Quebec, disclosed the data security incident in 2019. The breach, which spanned two years, was the result of “unauthorized and illegal access” to data by a “malicious” employee.

Canadian Privacy Commissioner Daniel Therrien mentioned that the incident was a result of series of gaps in administrative and technological safeguards.

Another report by the Office of the Privacy Commissioner of Canada concluded: “The investigation into the breach at Desjardins sheds light on the risks of internal threats, whether they are intentional or not.”

According to the report, for 26 months an employee was smuggling sensitive personal information collected from customers who had purchased or received products offered directly or indirectly by the organization.

Desjardins offers insurance cover, mortgage rates, loans, and credit cards among other services, meaning that financial information was potentially exposed.

Recommendation:

Multi-layer defence across the People, Process and Technology should incorporate strategy to fight against insider threats for data leakage prevention, and following measures are necessary to have mature security framework:

Deploy Data Leak Prevention solution to monitor all activities across all endpoints by default.
Ensure your network/Internet gateway has Data Leak Prevention capabilities enabled and configured as per use cases.
Add Data Leak Prevention coverage for your cloud services including SaaS subscription. Modern CASB (Cloud Access Security Broker) services covers the SaaS services.
Make organization wide process to define what is allowed and what is not and enforce the same through deployed solutions.
Communicate employee on adherence of acceptable use and disciplinary action on non-compliance.
Combine User Behaviour Analytics capabilities in your detection approach.
Make provision for role-based access on need to know basis and with the least privilege approach.

“No technology that’s connected to the internet is unhackable.”
― Abhijit Naskar

WhitehatGuru

Data Breach at Canadian financial service firm Desajardins

Related Articles

Check Also

More than 3,00,000 Spotify accounts hacked

Leave a Reply Cancel reply

Thwarting XSS!

Online Safety: Things to Do & Things to Avoid

Understanding IP datagram – the easy way

Learn to Love your Log files

Cracking wireless Network WEP protection

Hiring for Computer Engineers McKinsey’s way

SpyShredder : Manual Removal Instruction

Orkut has banned you fool! The administrators didn’t write this program guess who did?

Microsoft Updates:Fix Nine Security Holes

Manually Removing MyDoom/W32/W32.Novarg.A-mm

Security breach at FireEye – even the best and biggest organizations can be victim

One of the biggest hacks of 2020

Firefox Update Plugs 8 Security Holes

EDI:lass {EDI: Integration as a Service}

Misconfiguration of Amazon AWS Web Services leaves half a million customers exposed

Facebook, WhatsApp, Instagram apps were down for nearly 6 hours

2 Big eye care providers hit by hackers resulting in Data breach

Man sentenced for 12 years in AT&T ‘Unlocking’ Scheme

Hackers access personal data of 79,400 customers of local mobile operator and internet service provider in Singapore

WhatsApp has been fined with a penalty of 225 million Euros for violating European Union Data protection law