Data Breach at Canadian financial service firm Desajardins

Headlines: Series of gaps allowed massive data breach at Desjardins.

Canadian financial firm Desjardins suffered a major data breach compromising nearly 10 million customers’ personal information. Desjardins confirmed involvement of there employee behind the leak and indicated such insider threat a common problem among company of all sizes.

Desjardins, a financial management firm based in Levis, Quebec, disclosed the data security incident in 2019. The breach, which spanned two years, was the result of “unauthorized and illegal access” to data by a “malicious” employee.

Canadian Privacy Commissioner Daniel Therrien mentioned that the incident was a result of series of gaps in administrative and technological safeguards.

Another report by the Office of the Privacy Commissioner of Canada concluded: “The investigation into the breach at Desjardins sheds light on the risks of internal threats, whether they are intentional or not.”

According to the report, for 26 months an employee was smuggling sensitive personal information collected from customers who had purchased or received products offered directly or indirectly by the organization.

Desjardins offers insurance cover, mortgage rates, loans, and credit cards among other services, meaning that financial information was potentially exposed.

Recommendation:

Multi-layer defence across the People, Process and Technology should incorporate strategy to fight against insider threats for data leakage prevention, and following measures are necessary to have mature security framework:

  • Deploy Data Leak Prevention solution to monitor all activities across all endpoints by default.
  • Ensure your network/Internet gateway has Data Leak Prevention capabilities enabled and configured as per use cases.
  • Add Data Leak Prevention coverage for your cloud services including SaaS subscription. Modern CASB (Cloud Access Security Broker) services covers the SaaS services.
  • Make organization wide process to define what is allowed and what is not and enforce the same through deployed solutions.
  • Communicate employee on adherence of acceptable use and disciplinary action on non-compliance.
  • Combine User Behaviour Analytics capabilities in your detection approach.
  • Make provision for role-based access on need to know basis and with the least privilege approach.

“No technology that’s connected to the internet is unhackable.”

― Abhijit Naskar

Check Also

More than 3,00,000 Spotify accounts hacked

Date: 24th Nov 2020 Attack/Breach Status: Successful  Severity Impact/Potential: High Headlines: More than 3,00,000 Spotify …

Leave a Reply

Your email address will not be published.