Canada’s largest credit union, Desjardins, announced a security breach caused by a former employee, who had taken the data of 2.9 million members without authorisation.
The case echoes startlingly the Equifax breach of 2017 and raises yet more questions about the preparedness of financial institutions to safely handle sensitive user data.
lia Kolochenko, founder and CEO of web security company ImmuniWeb, has of the Desjardins breach:
“When just one employee, reportedly acting without acolytes, has an uncontrollable access to such a huge amount of confidential data and even manages to take it away, there is reason to believe that some of the internal security controls are broken. Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences.
Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated.
Employee awareness and continuous education programs, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks. However, a malicious employee is a much more complicated case. First of all, security teams are already overloaded with tasks, processes and endless alerts, and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically undistinguishable from the legitimate daily work. Nonetheless, major incidents akin to this one, are usually easily detectable and preventable.”
The case echoes startlingly the Equifax breach of 2017 and raises yet more questions about the preparedness of financial institutions to safely handle sensitive user data.
The story comes as a uncomfortable reminder of the “devastating data breach” experienced by credit reference agency Equifax in the summer of 2017. Following a Senate committee hearing on the episode, Peter White (Co-founder and CEO Rethink Technology Research) was damning in his indictment of corporate neglect in this area;
“The senate subcommittee found what most investigations find, which is that because security is a “grudge” purchase, during periods when things are not being hacked, finance guys cut funds to support proper process. It certainly amounts to cultural indifference.”
