The Canadian cooperative bank Desjardins and local authorities are currently dealing with a particularly hefty case of data abuse: A bank employee – who has since been dismissed – managed to steal the personal data of roughly 2.9 million customers. About 40% of Desjardins’ customers have been affected by the incident. Today, we are going to take a closer look at this case of internal data abuse.
Data Theft Due to Poor IT Security
Back in December 2018, the bank had noted a suspicious transaction and reported it directly to Laval police (Quebec). Since then, the bank has worked closely with authorities to investigate the incident and find the offender responsible for the transaction. The true extent of the incident was revealed only recently, and police informed Desjardins about this on June 14th, 2019.
A member of the bank’s IT department had abstracted and passed on the data of over 2.7 million private customers and 173.000 business customers. This incident is not an example of a hacker attack from outside – it is an example of data abuse from within. For Desjardins, this fact is especially bitter to digest because the damage done to the bank’s image is likely to prevail for years to come.
Lack of Access Management Enabled Data Abuse
The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records. It is without doubt that Desjardins‘ access management system was not sophisticated enough to prevent the attack. The culprit was immediately fired and arrested by the police.
What Data Were Affected?
Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.
Passwords, security questions and pin codes were not affected. The bank immediately made the incident public and informed all persons concerned.
Financial Consequences for Desjardins
Aside from the damage to the bank’s image and the loss of credibility toward its customers, Desjardins also face significant financial consequences. In a class action lawsuit filed with the Supreme Court of Quebec, the financial institution is being accused of negligence and of failing to fulfill its obligation to adequately protect customer data.
For those affected, damages of 300 US dollars each are being claimed. In addition, Desjardins is offering a 5-year credit monitoring service to all affected customers. The service includes daily access to credit reports, notification of important changes and identity theft insurance.
Ever since the attack became known, the bank has been working with police, authorities and IT security experts to minimize the damage and to guarantee better security in the future.