“I’d like to reassure our members and clients: their accounts and assets with Desjardins are protected in the event of fraud,” said President and CEO of Desjardins Group, Guy Cormier, in a statement.
However, his best efforts of an assuring statement provided little relief to the affected people.
So, let’s backtrack a bit and know what originally happened.
In December 2018, the municipal police force of the city of Laval, Quebec, was notified of a suspicious transaction by Desjardins.
Fast forward to June 20, 2019. The Desjardins Group suffered a data breach that leaked information of 4.2 million members, according to the latest update on the breach. And what’s worse, the data breach was carried out by an insider who leaked this information to a third-party.
This was the biggest breach in Canadian history and left the industry questioning the future of security. The breach revealed sensitive Personally Identifiable Information (PII) like social insurance number (SIN), this is the Canadian social security number and addresses. Alongside it exposed nonsensitive PII like the first name, last name, birth date, email address, and their banking patterns. Also, 173,000 business customers became victims, business names, phone numbers, the owner names, and accounts users were revealed.
Although the Group reassures that passwords, security questions, and PINs were not breached, the other set of information that was stolen could do significant damage. Whether the PIIs breached were sensitive or not, every data that can be traced back to a person can be used against them. (Learn more about PII here).
Hackers are getting smarter.. you, not so much
One might wonder, why did it take so long to detect this breach when there was a word about a suspicious transaction the previous year itself. This is because the average time to detect a breach and identify its impact is 197 days, according to a report by the Ponemone Institute. That is six months of your data at the hands of a bad actor before someone could even take appropriate measures.
When someone says hacker or someone who carried out the act of data breach, the usual picture that comes to one’s mind is probably of someone in a dark room hunched over his/her laptop. The reason why breaches have gotten out of hand today is that this picture has drastically changed, yet the mindset towards cybersecurity hasn’t as in the case of Desjardins.
The employee who carried out the breach used his access along with taking advantage of privileged accesses of others. According to a report by Verizon, 34% of the breaches were due to an insider. Now, who do you trust?
Although the bad actor in question here has been fired and is under investigation, is the employee the only one to blame here? The problem is with the entire system of cybersecurity. The perspective is old, security measures are not stable enough, and there aren’t enough policies in place to ensure this does not reoccur.
So, what did Desjardins do?
The members of the House of Commons public safety committee met along with few MPs who themselves were victims of this data breach. They had to establish whether Desjardins was at fault in this fiasco and if they failed to protect personal information.
A joint investigation was also launched by Quebec’s Access to Information officer and the federal privacy commissioner to understand whether Desjardins has been compliant with the provincial and federal laws of data protection.
Quebec’s Autorité des marchés financiers, called this a very serious situation, yet voiced his faith in the Desjardins officials and said, “They handled the situation with due rigor, transparency and speed and that the cooperation provided to law enforcement is full and complete.”
Although this data breach was a massive blow to the Desjardins Groups, they have been around for 119 years now since their inception in 1900 and have taken several security measures since to control the effect of the breach. They have been a trusted name.
Initially, Desjardins Groups claimed they would provide a credit-monitoring plan through Equifax to all those affected to ensure their identities are secure. They later extended it to five years.
But, a few days after, they had to revise their compensation plan when those who tried to sign up for the scheme were faced with long waits on call and downtime of Equifax’s website itself. This lead to only 13% of the 2.9% to be enabled with the plan. Thus, Desjardins announced that more than 4 million of their customers will be enabled with permanent digital protection. $50,000 for lost salary and notary fees due to possible identity theft and psychological counseling was a part of this plan.
What did this cost Desjardins? They had to pay a whopping sum of $53 million as a result of this data breach.
The government itself was faced with petitions from thousands of those who suffered a breach for a new social insurance number, which was later declared as not a feasible option.
The latest news about the breach revealed that the insurance would not only be available to those affected by the breach but to anyone who is going to do business with them. This covers a whole of 6 million people in Canada. Another unfortunate update about the breach is that in addition to the previously affected from the breach, another 2 million credit card holders are within the scope of the breach. This series of news unfolded in the month of December along with the departure of two of their senior executives.
Yet, the question still looms if the Canadians laws in question here will be effective in preventing any future breaches like this one. Comier himself said Canada remains ill-prepared for the 5G technology era and the massive data circulation.
Could this have been avoided? Absolutely. This is not an issue of this one bank. It is an issue around the globe. According to IBS Intelligence, 65% of the top banks in the US alone failed web security testing.
This is a very significant problem where hackers have gotten ahead of everyone, and we are playing catch up to clean their mess.
What can you do?
Data breaches are not just hard on the businesses. They can etch a footprint of anxiousness on the breached user forever. Personal, sensitive information is called personal for a reason. A retired doctor stated that his confidential credit files had been continuously breached and altered. He spoke about how his mail and cheque has gone missing. The hackers also tried to change his TransUnion Credit Bureau profile, leaving his personal information altered.
“I can tell you it’s very anxiety-provoking for your family to realize suddenly that somebody has this much information. It makes you feel very vulnerable” were his words.
Whether you are a bank, any other financial sector, healthcare, manufacturing, or any other industry—security is not an option. It is an absolute necessity today. The data of everyone you deal with daily is your responsibility. It is not just financial loss at stake, it is the aspect of trust as well. On cybersecurity, global spending is expected to be $6 trillion by 2021. This shows how vital cybersecurity is and why everyone has to get on this bandwagon.
Some solutions which can arm you against future breaches:
- Data Loss Prevention strategies must be in place. These will ensure that your data does not and cannot leave your network. Your sensitive, critical information cannot be available outside the corporate, trustworthy network.
- Multi-factor authentication. It is no longer the time to take passwords lightly, but it is the time to say goodbye to only password authentications. Several layers of authentications are quintessential for your security posture to thrive. Security questions, OTP, biometrics are some of the layers which can be added to exemplify authentication. This ensures internal access is never violated and authorizes access, ensuring people are who they claim to be.
- Governance at its best. Desjardins was a classic case of taking advantage of accesses. There must be stringent policy and compliance measures in place to always know who has access to what in your network. It is also necessary to streamline this process by automating the provisioning and de-provisioning of accesses. Especially when an employee leaves an organization, his/her access has to be revoked instantly. You do not want a begrudging employee leaving you with a data breach. Governance of privileged accounts must be carried out efficiently, as they have access to sensitive data that cannot fall into the hands of a bad actor.
- Analytics to monitor any change, anywhere, all the time. Cognitive technologies, in combination with IAM solutions, can radically ramp your security. If your network traffic is constantly monitored, any change, any unusual behavior can be detected immediately. This can allow a series of security measures to come into place. When anomalous behavior is seen, the authentication factors can be made more severe. Adaptive MFA can take the place of just MFA. When the alerts are high enough, access itself can be terminated altogether.
The domain of Identity Management is bound to transform your security. You have to take a step in prioritizing security over everything else and ensure that it is your organizational protocol. Desjardins Group was simply unfortunate to have experienced a breach of that volume. It could be anyone.
Do you want to wait around and see when that happens, or do you want to be secure? The choice is yours.