Insider Threats: Desjardins Bank's Data Breach

Introduction

In June 2019, Desjardins Bank, Canada's largest credit union, suffered a massive data breach affecting nearly 3 million individual members and 173,000 businesses. The culprit was an insider: a rogue employee who leaked sensitive data to external entities. The breach led to an estimated direct financial loss of $108 million, in addition to a $200 million class-action settlement.

The Breach in Detail

The bank first detected the breach in December 2019 and made it public on June 20, 2019. The incident was attributed to "unauthorized and illegal use of internal data" by a terminated employee. The method was startlingly straightforward: the malicious employee, who worked in the marketing department, compiled information from various subfolders into a single file using a script. This data was then transferred onto a USB drive. The breach lasted for a staggering 26 months, affecting Personally Identifiable Information (PII) of millions.

Impact and Consequences

The financial toll on Desjardins was enormous, exceeding $300 million. More insidious was the likely impact on employee morale and the bank's reputation. The event led to increased scrutiny on the banking industry's data management practices and opened discussions about overhauling Canada's Social Insurance Number system.

Why Did It Happen?

Several factors contributed to the Desjardins data breach. Sébastien Boulanger-Dorval, the responsible employee, appeared to be motivated by personal financial gain, compounded by financial distress and personal issues (Séguin, 2020; Joncas, 2022). The breach also unveiled lax internal security measures and a company culture too trusting to safeguard against internal threats (Office of the Privacy Commissioner of Canada, 2019; Canada, 2020; Schwartz, 2022).

Solution 1: Employee Risk Monitoring

Preventing insider threats requires a multi-pronged approach. Financial distress is a common motivator for internal threats (Shook et al., 2019; Maasberg et al., 2015). Implementing periodic background checks and offering financial wellness programs can mitigate such risks. Technological solutions like robust employee monitoring systems equipped with behavioral analytics and machine learning can flag suspicious behavior in real-time (Payne, 2023; NIST, 2012).

Solution 2: Enhanced Data Access Monitoring

Employee data access monitoring could have prevented the breach. Implementing Role-Based Access Control (RBAC) as suggested by NIST SP 800-53 can restrict employees from accessing data not relevant to their roles (U.S. Department of Commerce, 2012). Security Information and Event Management (SIEM) systems can further monitor and analyze data access patterns effectively (Brook, 2022; Powell, 2021).

Conclusion and Recommendations

The Desjardins Bank data breach underscores the importance of internal threat vigilance. Financial institutions must combine technological oversight with an organizational culture focused on data security. By doing so, they can better protect themselves against the financial and reputational damages wrought by such internal data breaches.

The case of Desjardins serves as a cautionary tale that every organization should heed. A multi-faceted approach that integrates both technological solutions and human factors is crucial for ensuring data security and risk mitigation.

Belding, G. (2022, February 20). NIST CSF core functions: Identify | Infosec. Resources.infosecinstitute.com. https://resources.infosecinstitute.com/topics/nist-csf/nist-csf-core-functions-identify/

Cameron, C. (2021, March 24). Have we learned from the Jamcovid app experience? Jamaica Observer. https://www.jamaicaobserver.com/columns/have-we-learned-from-the-jamcovid-app-experience/

Cimpanu, C. (2017, March 17). Hackers Breached Department of Labor Job Seekers Portal. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-breached-department-of-labor-job-seekers-portal/

Clark, M. (2014, May 5). Timeline of Target’s Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer. International Business Times. https://www.ibtimes.com/timeline-targets-data-breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056

Dellinger, A. J. (2017, July 21). Kansas Data Breach Exposes 5.5 Million Social Security Numbers. International Business Times. https://www.ibtimes.com/kansas-data-breach-exposes-more-5-million-social-security-numbers-2569024

Graham, N. (2020, October 30). Amber enters four more markets with pandemic tech. Jamaica-Gleaner.com. https://jamaica-gleaner.com/article/business/20201030/amber-enters-four-more-markets-pandemic-tech

Henry, E. (2022, January 6). How To Create An Effective Cybersecurity Policy. Www.cm-Alliance.com. https://www.cm-alliance.com/cybersecurity-blog/how-to-create-an-effective-cybersecurity-policy

Johnson , J. (2021, February 21). Amber Group breaks silence on personal data exposure. Jamaica-Gleaner.com. https://jamaica-gleaner.com/article/news/20210221/amber-group-breaks-silence-personal-data-exposure

Lamar, S. (2022). MANAGING CYBER HYGIENE AT A HIGHER EDUCATION MANAGING CYBER HYGIENE AT A HIGHER EDUCATION INSTITUTION IN THE UNITED STATES INSTITUTION IN THE UNITED STATES. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1004&context=sais2022

NIST. (2018, August 10). The Five Functions. NIST. https://www.nist.gov/cyberframework/online-learning/five-functions

Oyadey, O., & Brain, S. (2023). Funding Crime Online: Cybercrime and its Links to Organized Crime in the Caribbean. The Commonwealth Cybercrime Journal, 1(1), 84–99. https://production-new-commonwealth-files.s3.eu-west-2.amazonaws.com/s3fs-public/2023-04/D19156-Commonwealth-Cybercrime-Journal-1-1.pdf

Whittaker, Z. (2021, February 26). Jamaica’s JamCOVID pulled offline after third security lapse exposed travelers’ data. TechCrunch. https://techcrunch.com/2021/02/26/amber-group-jamcovid-data-exposed/

World Travel & Tourism Council. (2022). Economic Impact | World Travel & Tourism Council (WTTC). Wttc.org. https://wttc.org/Research/Economic-Impact