The largest federal credit union in North America, Canadian bank Desjardins Group, was the victim of a data breach that leaked information on 2.9 million members.
While member passwords, security questions and PINs weren’t compromised, the leak did reveal sensitive data like names, addresses, birth dates, social insurance numbers (the Canadian equivalent of the social security number), email addresses and information on transaction habits for individual members. Business members saw their business names, telephone numbers, the names of owners and their AccèsD Affairs account users exposed.
The data breach wasn’t the result of an outside cyber attacker, but a malicious insider – someone within the company’s IT department who decided to go rogue and steal protected personal information from his employer. It’s easy to think of data breaches as the fault of cyber attackers hunched over laptops somewhere far away, but sometimes the real threat doesn’t need to break in. He’s inside the building with access to sensitive systems and personal data already.
Working in the company’s IT department, the malicious insider behind the Desjardins Group breach already had some level of privileged access and it’s likely that this is what he abused to access member’s personally-identifiable information (PII). What’s not as clear is why this activity wasn’t detected earlier. An early report from CBC states that it took several months to learn of the scope of the data-gathering scheme, a troubling trend that doesn’t seem to be going away. A report published by the Ponemon Institute estimates that the average time to identify a breach was 197 days in 2018 – more than 6 months. This gives malicious insiders or external attackers more than enough time to wreak havoc on their target.
According to Guy Cormier, president and CEO of Desjardin Group, this wasn’t an ordinary case of a company who had no controls in place to secure privileged access. He said that no one person at the bank has authority to access the information of all of the members. Apparently, the malicious insider in question used his own access and the privileged access of others to assemble the data trove. No matter what tactics or techniques were used by this attacker, foundational measures such as a properly architected privileged access management solution and multi factor authentication likely would have thwarted the malicious insider from securing unauthorized access to the privileged credentials of his colleagues.
While the malicious insider has been fired, much of the damage has already been done. Desjardins first noticed a suspicious transaction all the way back in December 2018, but only recently learned the full scale of the breach. During that period of time, Desjardins collaborated with the police to investigate the suspicious transaction, discover the extent of the data breach, the identities of those affected and find the culprit. (He has since been arrested, but as of writing, has not been charged with the crime.)
In the meantime, Desjardins Group has promised to reimburse its members for any losses stemming from this data breach and to provide them with 12-month credit monitoring plans. While Desjardins Group hasn’t released the figures accounting for the damage, a breach with this level of notoriety will likely be costly – especially in terms of long term brand damage and consumer trust. According to a study by Comparitech Ltd., public companies that have suffered a data breach under perform the Nasdaq by 15.6% three years after they reveal the breach.
This breach shows that a defense in depth security strategy that includes privileged access management, multi-factor authentication, and the detection of anomalous behavior with tools such as database activity monitoring has never been more crucial. While insider threats can be more difficult to identify, especially in a case where the user had privileged access rights, having a solution in place to monitor for unusual and unauthorized activities that can take automated remediation steps as needed can help reduce the amount of time it takes to stop an attack and minimize data exposure. No one wants to have to wait six months or more to find out the full extent of the damage.
To learn more about how to detect insider threats and stop them, read The Danger Within: Unmasking Insider Threats.
To learn more about privileged access management, visit the Gartner Magic Quadrant for Privileged Access Management and read Privileged Access Security for Dummies.