The Canadian cooperative bank Desjardins and domestic authorities are currently dealing with a particularly serious case of data theft: A bank employee, who has since been dismissed, swiped the personal data of roughly 2.9 million customers. About 40% of Desjardins’ customers are affected by the incident.
Back in December 2018, the bank had noted a suspicious transaction and reported it directly to Laval police (Quebec). Since then, the bank has worked closely with the authorities to investigate the incident and find the offender responsible for the transaction. The true extent of the disaster was only recently revealed and police informed Desjardins about it on June 14th, 2019.
An internal member of the IT department had stolen data from 2.7 million private customers and 173.000 business customers and passed it on to third parties. The incident was not a hacker attack from outside, but a case of data abuse from within – a fact that is especially bitter to digest, for it can be assumed that the damage done to the bank’s image will prevail for years to come.
The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records. It is without doubt that Desjardins‘ access management system was not sophisticated enough to prevent the attack. The culprit was immediately fired and arrested by the police.

What Data Were Affected Precisely?

Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.
The stolen business customer records include company names, business addresses, business phone numbers, names of owners and users of the AccèsD Affaires accounts.
Passwords, security questions and pin codes were not affected. The bank immediately made the incident public and informed all persons concerned.

[FREE WHITEPAPER] Best Practices for Access Management in Microsoft® Environments

Read our whitepaper to learn how best to treat access rights in Microsoft® environments.

Download

[FREE WHITEPAPER] Best Practices for Access Management in Microsoft® Environments

Read our whitepaper to learn how best to treat access rights in Microsoft® environments.

Download

Consequences For Desjardins

Aside from the great damage done to the bank’s image and the loss of credibility toward its customers, Desjardins must now also face significant financial consequences. In a class action lawsuit filed with the Supreme Court of Quebec, the financial institution is being accused of negligence and of failing to fulfill its obligation to adequately protect customer data from abuse. For those affected, damages of 300 US dollars each are being claimed.
In addition, Desjardins is offering a 5-year credit monitoring service to all affected customers. The service includes daily access to credit reports, notification of important changes and identity theft insurance.
Ever since the attack became known, the bank has been working with police, authorities and IT security experts to minimize the damage and to ensure greater security in the future.

Financial Services Authority Warns Against Fraud

Quebec’s financial services authority warned that Desjardins’ customers may now fall prey to fraudulent emails, text messages, and phone calls due to the data breach. Scammers may try to contact the victims of the incident under the false pretense of needing to take security measures and wanting to provide updates regarding the incident.

Correct Access Rights Can Provide Protection

The matter clearly demonstrates the damages that can be caused by internal IT security staff. Companies are usually afraid of hacker attacks and take immense security precautions to prevent outside attacks from happening. They tend to forget, however, that the dangers lurking within need to be addressed too. We know for sure that people can only steal data which they actually have access to. The natural conclusion is that protection can only be sufficiently provided by a sophisticated access rights management system.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now