Credit Union Times, June 24, 2019, with comments from Willy Leichter;
The credit union reports “an ill-intentioned employee” swiped data of 2.9 million members.
Based in Lévis, Quebec, Desjardins is Canada’s biggest credit union. One of the world’s largest financial institutions with 7 million members and 46,216 people on staff, they manage $295.5 billion annually. And this week, they announced that one of their own employees intentionally caused a breach that affected millions.
Initial Discovery from Suspicious Transaction to Confirmed Data Breach
Desjardins learned of the breach, according to CBC News, when they contacted Laval police about a suspicious transaction in December 2018. Months later in May of 2019, police alerted Desjardins that personal information had been leaked. Desjardins made the distinction that that information did not include passwords and other information used for personal identification.
An “ill-intentioned employee” illegally took the data of nearly 3 million credit union members – 2.7 million home users and 173,000 business and associated contacts. The employee was fired after the incident was discovered.
Who’s Responsible – Insider Employees Who Break the Law or Their Employers?
The credit union hastened to say no computers were breached and certain banking information was not taken - ie, credit card numbers, passwords and security questions.
The credit union’s Chief Executive Officer Guy Cormier said in a statement, "I'd like to reassure our members and clients their accounts and assets with Desjardins are protected in the event of fraud.”
Others in the field don’t find this especially comforting. The information taken included names, birthdates, social security numbers, addresses and phones numbers. Close to 3 million members were breached, along with the business associates and contacts. These members have now had their information released “into the wild.”
Some have expressed that despite this being the sole action of a rogue employee, Desjardins still bears responsibility. Reason being, companies are largely responsible for the actions their employees can take. They should have training and procedures in place that monitor behaviors, and discovery mechanisms and response times to detect suspicious behaviors.
Desjardins has said they’ve implemented more security measures “to ensure all our members’ personal and financial data remains protected.” Quebec’s financial authority said the situation was “very serious” but also praised law enforcement for their swift response and transparency in handling the incident.
More Summer Breaches Impacting Customers and Clients
Meanwhile, ZDNet discovered activity by a hacker group called Gnosticplayers who had gone after EatStreet. EatStreet is an online and mobile food ordering service with over 15,000 restaurants serving more than 250 cities. They announced a data breach in May that the hackers carried out from May 3 to May 17. The company shut down access as soon as they realized they had been breached.
The hack wasn’t restricted to just EatStreet. The hackers also went after other associated parties, including delivery services and other restaurants partaking of EatStreet’s service.
They stole and released information like names, phone numbers, email addresses, bank accounts and routing numbers for those using these restaurant and delivery services. Some customer data may have contained everything needed to make fraudulent credit card charges - card number, expirations dates and verification codes, plus billing addresses, phone numbers and email addresses.
According to ZDNet, Gnosticplayers’ goal was to sell more than 1 billion users’ data. They got incredibly close, reaching 900 million records. Former victims included Australian Canva, Canadian photography 500px and American UnderArmor.
Personal Data Is Popular and Useful on the Dark Web
On the Dark Web, stolen data moves quickly. It’s bought, sold and can be used within a matter of days and over years. Especially valuable are credit card numbers with CVCs to imitate real customers to make fraudulent purchases by phone or online, or conduct other criminal activities.
Willy Leichter, vice president Virsec asserted, “The scale of this breach is startling considering it was perpetrated through just nine successful phishing emails. Many organizations still rely on ‘common sense’ of users not to click on phishing attempts, but that is completely inadequate.” Leichter maintained organizations must move to defenses that assume users will make mistakes but still protect critical applications and data.
As these breaches continue on a weekly basis, enterprises in all industries, especially those with sensitive information like banks or healthcare, must step up and take appropriate actions to reduce and prevent these occurrences. Threats exist on the outside as well as from within. As a result, precautionary steps are needed in both technical and human behavioral areas.