Desjardins, Canada’s largest credit union and one of the world’s biggest banks, announced a security breach caused by a bank employee who had taken the data of 2.9 million members (2.7 million home users and 173,000 businesses). For home users, the exposed information included first and last name, date of birth, social insurance number, address, phone number, email address, and details of banking habits and Desjardins products. For business customers, the exposed information included business name, business address, business phone number, owner’s name and names of account users.
Commentary: One of the hardest threats to detect and prevent is the malicious insider, who exploits legitimate access to steal information or otherwise cause harm to the business. The potential for harm can be reduced by ensuring that access to sensitive information is tightly restricted on a need to know basis and is removed promptly when no longer needed, however, sometimes the best defense is being ready to deal with such an incident when it occurs so as not to be caught flat-footed. In this case, it was not the bank who detected the incident but rather the police who notified the bank of the missing data, presumably while investigating the individual in question.
Likely Threat(s): Malicious Insider
Likely Motive(s): Theft, Fraud?
Likely Means: 6.3 Inappropriate access to information
Opportunities: Access Management, Data Loss Prevention, Employee Vetting, Incident Response