Canada-based Desjardins Group, the largest association of credit unions in North America, has experienced a massive data breach. According to a news release regarding the incident, which was released on June 20, the data leak affects roughly 2.9 million members. Upon realizing that a leak had occurred, the Desjardins Group immediately involved authorities. The key things to know about the subsequent investigation are quoted below:
The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired. In light of these events, additional security measures have been put in place to ensure all our members’ personal and financial data remains protected... The following information was not compromised: AccèsD passwords (for both personal and business accounts), security questions and PINs. Desjardins has not been the target of a cyberattack. Our computer systems have not been compromised in any way by this incident. We have not seen a spike in fraud cases involving our members’ accounts in recent months.
The Desjardins Group goes on to state that they have beefed up protections for their members (such as intense monitoring of accounts and additional identity verification protocols). While this is absolutely the right way to handle an incident of this nature, members of Desjardins Group should not expect total protection as a result. Firstly, though there have been no reported cases of fraudulent activity, that does not mean it won’t happen in the future. When data leaks of this magnitude occur it could take a while before cybercriminals spread all of the stolen data around the Dark Web. It would be wise for members to monitor their accounts for any suspicious activity, just in case something slips through the cracks.
What makes this Desjardins Group case so fascinating is that it highlights the human element of information security. As the investigation uncovered, it wasn’t some group of black hat hackers that got a hold of the data, instead it was a disgruntled employee of the Desjardins Group. So often security professionals focus, for understandable reasons, on the technical side of data protection that the human element gets disregarded. It is vital, especially in light of this, that InfoSec professionals stay aware of this fact as they set policy and security protections. It is impossible to prepare for every scenario, but in the case of cybersecurity, the simplest route of damage is usually the one taken by criminals.
This includes hackers and disgruntled employees of the Desjardins Group alike.
Featured image: Wikimedia