Security

The Desjardins Data Breach + What We Can Learn From It

Are you a Canadian Desjardins customer? If so, you may be entitled to financial compensation from a $200.9 million dollar lawsuit. On June 18th, 2022, the Supreme Court of Quebec approved the largest class-action settlement in the Canadian financial services sector to date, against financial services company Desjardins. The lawsuit was a result of a significant data breach between 2017 to 2019 which compromised the personal data of 9.7 million Desjardins users in Canada and abroad.

Desjardins Data Breach

On May 27th, 2019, the Office of the Privacy Commissioner of Canada was notified of a breach of security safeguards. The compromised data included personal information such as social insurance numbers, residential addresses, and transaction histories. Desjardins concluded that the breach was a result of an internal threat- an employee who had been exfiltrating sensitive personal information collected by Desjardins from customers who purchased or received products directly and/or indirectly by the company. As a result, Desjardins failed to adequately protect its clients’ personal information or adhere to PIPEDA compliance for over 26 months.

A breach of this significance brings about the concern of whether the company had appropriate security safeguards, and whether Desjardins met accountability requirements for possessing personally identifiable information (PII). The Office of the Privacy Commissioner of Canada concluded that Desjardins has, in fact, violated PIPEDA laws with “regard to accountability, retention periods, and security safeguards”.

So what can organizations learn from the Desjardins data breach to better protect clients personal information?

What We Can Learn

Like most data breaches, the impact can be mitigated through proactive security measures. Organizations should have strong security practices within their infrastructure to protect against breaches such as the Desjardins data breach. In this instance, the breach was committed by an internal employee  over a 26 month period. There were several strategies the company could have used to reduce the length of this event as well as the likelihood of its occurrence. 

Here are some strategies your organization can learn on how to prevent insider threats:

1. Implement Privileged Access Controls

The employee responsible for the data breach was a member of Desjardins’ marketing department. The information stolen was stored in their data warehouses which were accessible to all members of the department. As such, the employee had the necessary authorization to access the data warehouses and steal client data. To prevent this, Desjardins could have implemented privileged access controls.

Many organizations use the principle of least privilege to protect against internal threats. The PoLP functions to give employees with specific levels of authority, credentials, and skills access to information. For example, an entry-level employee does not require access, passwords, or any information that does not directly relate to their day-to-day functions. Therefore, the entry-level employee should not have access to certain data and authorizations. With PoLP, information is only given on a need-to-know basis. This prevents the likelihood of employees with malicious intent being able to easily access unwarranted information.

2. Perform Enterprise-Wide Risk Assessments

The best way to prevent insider threats is to continuously conduct risk assessments within the organization. As a company, you should know your critical assets and their vulnerabilities, as well as threats that could negatively affect them. Companies should also consider potential insider threats that affect them. Once risks are analyzed, they should be prioritized and IT security infrastructures should be routinely optimized and enhanced according to risk priority.

3. Monitor and Control Remote Access

What’s the best way to prevent insider threats? Catch them before it happens. It’s recommended that organizations deploy and configure wireless intrusion detection and prevention systems. In addition, mobile data interception systems should be considered. These tools monitor which employees are attempting to access certain types of data and can notify authorities within the organization when restricted data access is attempted.

4. Assess Behavioural Patterns

Monitoring the behaviours of users within your organization can proactively prevent an attack. By using the User and Entity Behaviour Analytics Software (UEBA), organizations can identify the typical behaviours of users and pinpoint unusual activities that do not match those behaviours. For example, if an employee typically logs in between the hours of 9 am to 6 pm, Monday to Friday and the system detects account behaviour at 2 am Saturday morning, that may be a sign that risk is impending and security measures should be taken accordingly.

What This Means for You

Law firms Siskinds Desmeules and Kugler Kandestin were representing class members in the case. In a recent settlement notice, the lawyers stated that those affected by the breach, regardless of location, will be entitled to compensation. Class members are able to seek compensation for loss of time related to the personal information breach, as well as identity theft that may have occurred. Plus, members who have not registered for Equifax’s credit monitoring service previously will be able to do so at Desjardins’ cost for the next five years.

Current and former members of Desjardins, as well as clients and ex-clients who have used Desjardins credit cards and/or financial products, could qualify. If you were affected by this breach and would like to be financially compensated, no further action is necessary at this time. Claim instructions will be provided beginning July 21st, 2022 and distributed over several months.

As for protecting clients’ personal data, organizations should take the necessary security precautions to prevent insider threats from compromising client information and protect against reputational and financial damages.

Joakim Rodrigues