June 21, 2019

Desjardins breach shows businesses “must give insider threats a bigger focus”

By Luke Christou

Desjardins, Canada’s largest credit union, has announced that data belonging to its 2.9 million banking customers, including data on 173,000 businesses, has been stolen in a breach.

The company has confirmed that personally-identifiable information (PII) was taken.

For individual customers this includes their name, date of birth, address, phone number, email address, social insurance number and banking usage data. For business customers this includes the business name, address, phone number, as well as the details of those with access to the account.

However, online banking passwords, security question answers, account PINs and card information is not believed to have been compromised.

The Desjardins breach is a case of insider threat, rather than a cyberattack. The data was accessed and taken by an Desjardins employee without authorisation and with “ill-intention”, according to CEO Guy Cormier.

The company was alerted to the breach on Friday, 14 June, after being notified by the Quebec police force. It is unclear how the breach was discovered.

Desjardins breach shows businesses must take insider threats seriously

The employee behind the attack has since been traced and dismissed. However, it is unclear what the attacker has done with the data since the breach occurred, or what they intended to do with it.

Desjardins could potentially face compensation costs, regulatory fines, reputational damage and loss of business as a result of the breach. The company has promised to reimburse any losses suffered by customers and will offer free credit check services to those affected for the next 12 months.

While the majority of breaches appear to be launched by attackers outside of an organisation, insider threats are often just as costly for businesses as cyberattacks launched by outsiders. As a result, organisations must start to give these types of attacks “a bigger focus” according to Robert Ramsden-Board, VP of EMEA at Securonix.

“Insider threats often get a lower level of attention and priority,” Ramsden-Board said. “However, this incident demonstrates the consequences of such attacks can be significant.”

A recent study by cybersecurity firm Deep Secure found that 25% of employees would be willing to sell information about their employer for as little as £1,000. Some 10% said they would sell their employer’s intellectual property for £250, with 5% willing to give it away for free.

The same study found that more than half of employees have taken information from their company network to pass on to a third-party, such as a new employer.

A cybersecurity challenge

Particularly for those in the financial services industry, employees need frequent access to customer data in order to provide the service required of them. Knowing whether an employee is acting maliciously or simply doing their job can prove tricky for businesses.

“One of the key challenges organisations face when detecting insider threats is trying to establish if the person accessing and extracting the data is doing this as part of their job, or with malicious intent. This is likely why Desjardins was only made aware of the breach after a warning from law enforcement officials,” Ramsden-Board explained.

In order to minimise the possibility of insider threats, Jake Moore, cybersecurity specialist at ESET, told Verdict that businesses must pay closer attention to their data access controls.

“What’s important is that access to PII should be restricted to the smallest possible group of trusted and trained employees, and properly encrypted,” Moore explained.

There are also tools available, Ransden-Board said, that can help organisations to detect and deny employee data requests that appear to be malicious. These tools use technologies like artificial intelligence and machine learning to learn ‘normal’ interaction with this data and notify the businesses’ security team should it detect abnormal activity.

Yet, despite the sensitive information that companies hold, many are failing to take even the slightest of precautions.

“We know that even these basic protections are not in place within many companies that hold this type of sensitive information,” Moore said.

Read more: Forget about The Terminator — we should be worrying about AI malware first

Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,