The Canadian financial institution Desjardins was the victim
of an insider threat resulting in the data of 2.9 million customers being
exposed, including crucial personal and business information.The Montreal-based credit union was told by the Laval Police Department the information of 2.7 million individual customers, along with 173,000 business clients had been leaked. An investigation found the breach to be the work of an employee, the company said in a statement.“This incident was not a
cyberattack. Desjardins computer systems were in no way breached during this
incident, which was the result of illegal acts committed by the above-mentioned
former employee,” the company said.The employee in question has
been fired and arrested by the Laval police, CBC
news reported. The consumer data leaked
included first and last name, date of birth, social insurance number, address,
phone number, email address and details about their banking habits and
Desjardins products. Passwords, security questions, and PINs were not
compromised.Business customers had their
names, addresses, telephone numbers, and the names of owners and AccèsD
Affaires account users. Some information about owners or AccèsD Affaires users
may have also been affected. If that is the case, these people will receive a
letter informing them of the situation, the company said.The company has not said
what position the insider threat held, the reason behind the release or exactly
where the information was found by the police.The company did first become aware that something was amiss in December 2018 when it spotted a suspicious transaction and then the full extent of the damage was deciphered over the intervening months. The employee was identified and suspended at which point the data leak ended, CBC reported.Ilia Kolochenko, ImmuniWeb's founder and CEO, said one issue is enabling a single person to have too much access."When just one employee, reportedly acting without acolytes, has an uncontrollable access to such a huge amount of confidential data and even manages to take it away, there is reason to believe that some of the internal security controls are broken. Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences," Kolochenko said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds