Desjardins Suffers Data Leak – 2.7 Million Customers Compromised Drew Wilson | June 27, 2019 Canadian insurance company, Desjardins, has suffered from a data leak. In all, 2.7 million customers have had their information exposed. Another day, another security incident. This time, the victim is Canadian insurance company, Desjardins. The leak is blamed on a former employee working on the inside. According to the CBC, it is alleged that the employee took that information and shared it with others. From the report: An employee with “ill-intention” at Desjardins Group collected information about nearly three million people and businesses and shared it with others outside the Quebec-based financial institution, officials revealed Thursday. The data breach affects around 2.7 million people and 173,000 businesses, more than 40 per cent of the co-operative’s clients and members. Desjardins is the largest federation of credit unions in North America, with outlets across Quebec and Ontario. The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits. As you can tell, the story has gotten a fair bit of attention in Canadian media. Analysis on the leak has been circulating after. In one analysis, the blame for the leaking of information shouldn’t necessarily lie at the feet of one individual. From IT World Canada: Despite many blaming the employee who allegedly leaked almost 3 million individuals’ information in the recent data breach at The Desjardins Group, some experts warn that this is over-simplifying the problem and not laying enough blame on the company itself. Mark Sangster, vice-president and industry security strategist at eSentire Inc., spoke with IT World Canada and said that a breach of this sort is a culmination of many factors, not just one; comparing it to the Boeing 737 scandal. “All too often what happens in these events is that one single source is kind of at is considered at fault. That lets the company and everybody off the hook. The best analogy I have is the 737,” said Sangster. “It wasn’t simply a pilot error or it wasn’t simply a mechanical failure or design impact. It’s the same thing in security. You have an employee that conducted allegedly illegal activities. So what policies were in place to denote those as illegal or unauthorized? What training was in place? What background checks were committed? What other checks and balances from a security perspective were implemented that would prevent this from occurring?” What worries Sangster the most, he said, is if this was correctly reported in a timely fashion, what’s being done to improve on that time? This is something he said he hopes the privacy commission focuses on as the investigation moves forward. “Once the company determined that a significant breach has occurred, they then have to make notification. They have to contact the privacy office. And then as a subsequent follow on, they have to contact any affected individuals. What’s critical in that is ensuring that the company does this because the faster that you find out, you can now take whatever actions are required,” explained Sangster. “As a simple example, if you were truly concerned about the impact on your finances, you can be doing things like looking at bank records, suspending your account… But when you don’t know about it, that’s the real problem. This is what I would encourage the privacy commission in this case to focus on.” In addition to this, there is concern that fraudsters will pick up on this and attempt to take advantage of the situation. From Sudbury.com: However, the company says any customers whose information has been compromised as a result of the data breach will receive a personal letter informing them. “Beware impersonators,” the company said on its website. “We won’t contact you by phone, email or text message.” Any members with questions or concerns can call 1-800-CAISSES (1-800-224-7737) between 9 a.m. and 9 p.m., seven days a week. So, people who have been affected by this will get a physical letter. A phone number is also available for those with concerns. The month of June has certainly been an active month for security incidences. The month started with a bang when First American had 885 million records exposed in a data leak. This was followed up by Marriott’s parent company suffering from a data leak with 85.4GB of security data exposed. From there, the U.S. Customs and Border Protection suffered from a data breach. Traveller data was exposed in that one. Then, Emuparadise suffered from a breach with 1.1 million forum accounts exposed. After that, there was the total meltdown of the AMCA who suffered from a 20 million patient data breach. The end of the month has been particularly active so far. Evite became the victim of a data breach with 10 million accounts potentially compromised. This was followed up the very next day with EatStreet suffering from a 6 million account data breach. Now, we seem to be on a three day streak with this latest incident. Not a good streak to be on by any means. Drew Wilson on Twitter: @icecube85 and Facebook.