Canada's largest credit union and one of the world’s largest banks, Desjardins, published a security advisory after a former employee gained unauthorized access to the data of 2.9 million members.
The former employee was fired as a result of the security breach. In a statement posted on its website, the bank said, “The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired. In light of these events, additional security measures have been put in place to ensure all our members' personal and financial data remains protected.”
The bank also noted that it has not been the target of a cyber-attack, nor did the malicious employee access customers’ AccèsD passwords, security questions or PINs.
“The bank is saying that credit card numbers, security questions and so on were not taken. Is this supposed to make it OK?” said Dan Tuchler, CMO at SecurityFirst. “I’m sure those whose personal information was revealed are going to be concerned. Enterprises, especially banks, need to take both technical steps and human process steps to prevent this type of breach.”
In addition to monitoring all activity in member accounts, Desjardins also stated, “We're taking additional steps to confirm our members' and clients' identities when they call their Desjardins caisse or our AccèsD call centre.”
That one employee was able to gain access to such a vast amount of confidential data suggests that some internal security controls are broken, according to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.
“Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences. Employee awareness and continuous education programs, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks.
“However, a malicious employee is a much more complicated case. First of all, security teams are already overloaded with tasks, processes and endless alerts and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically undistinguishable from the legitimate daily work. Nonetheless, major incidents akin to this one are usually easily detectable and preventable.”