Wednesday December 16, 2020 | NATIONAL
by Mary P Brooke, editor | Island Social Trends
Canada’s largest financial services data breach was caused by a series of gaps in administrative and technological safeguards, federal and Quebec privacy commissioners said in a report issued on December 14.
“Desjardins Group did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” said Daniel Therrien, Privacy Commissioner of Canada. “The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the mitigation measures offered to those affected and the commitments made by Desjardins.”
Desjardins Group offers their credit card and other services through credit unions across Canada, including BC. The company says that its mission is to contribute to improving the economic and social well-being of people and communities within the compatible limits of its field of activity:
- by continually developing an integrated cooperative network of secure and profitable financial services, owned and administered by the members, as well as a network of complementary financial organizations with competitive returns, controlled by the members
- by educating people, particularly members, officers and employees, about democracy, economics, solidarity, and individual and collective responsibility.
Slow on the breach:
Desjardins found out second-hand about the breach. The breach was discovered in June 2019 by police. The data breach involved 9.7 million active and inactive files of individuals who held accounts at Desjardins credit union branches, largely in Quebec and Ontario, but also others.
It was learned forensically that data had been copied by a staffer in the marketing department onto a USB stick and subsequently sold to a private lender. The data dump included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.
The unnamed employee was someone deep on the inside, described in the report by Desjardins as, “a skilled and high performing employee, and who was a key resource for many of his colleagues.”
Desjardins had recognized some of the security weaknesses that ultimately led to the breach — including the ability of staff to use unapproved storage devices like USB drives — and had a plan to remedy them including implementing data loss prevention technology, the commissioners said in the joint report.
“Nonetheless, it failed to rectify the issues in time to prevent what happened. Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police.”
Absence of a culture of vigilance:
While Desjardins “invested a significant portion of its overall information security budget to fight against external threats,” the commissioners said, “in our view, the absence of a culture of vigilance against internal threats significantly contributed to the breach.”
At a press conference Therrien said it was “fairly startling” that almost half of the stolen data — 4 million files — involved people whose banking or credit card accounts had expired and shouldn’t have been kept by Desjardins. PIPEDA says Canadian organizations that fall under the law can only retain personal information needed for commercial reasons.
There has been evidence of a similar neglect of due diligence or vigilance in the stumbling ‘Bonus Dollars’ program that Desjardins offers to its credit card holders. The company they had subbed-out that service to had been failing for months during the pandemic to in any way provide adequate customer service either online or by phone. It took a torrent of complaints for management to finally see what was going on.
The risk of insider threat:
The investigation into the breach at Desjardins highlights the risks of insider threats. The December 14 report by the Office of the Privacy Commissioner stresses the importance of vigilance and a holistic approach to addressing and mitigating the impact of such threats.
For at least 26 months the unnamed employee exfiltrated sensitive personal information to an unknown person or persons, said the report.
Data protection is hard, but organizations the size of Desjardins have the financial ability to do it, said Privacy Commissioner Daniel Therrien. In particular, he said it was “unacceptable that they did not have active [employee] monitoring systems. They had passive monitoring. You need to have proactive monitoring. And large companies need to be in a position to that.”
He also complained of the “lack of proportionality” between the “massive volume” of personal information companies collect and the resources devoted to data protection. “The trend is when we [at the Office of the Privacy Commissioner] investigate complaints we often see the lack of proportionality.”
Therrien noted that under the proposed new federal private sector privacy law a tribunal would have the power to fine an organization millions not only for violating the law but also for not having sufficient data safeguards.
Asked what can be done beyond fines to get companies to put more resources into data protection, Quebec access for information commissioner Diane Poitras said giving individual consumers the right to sue firms [which is included in the proposed federal legislation] might help. “Unfortunately,” she said “sometimes financial loss is the biggest incentive for businesses.”
Therrien agreed. “It’s an unfortunate truth that the bottom line is important.” But also, he added, “it’s a question of [consumer] trust at the end of the day.”
“Technology is complicated and these companies have large and complex systems to operate,” Therrien added. But companies monetize personal information in their operations and they ultimately make profits. That is normal in a market economy. But it is important, as this case and others show, that it is important for companies small and large to take appropriate measures.”