The Devil You Know: Insider Breaks into the Largest Federal Credit Union in North America


JULY 2019

By: Damla Cessur

In a stunning turn of events, earlier this year Desjardins Group, a Canadian bank that operates the largest federal credit union in North America, reported they were the victim of an internally caused data breach that leaked information on 2.9 million members.

Guy Cormier, president, and CEO of Desjardins Group announced on June 20, 2019, that an employee improperly accessed and shared the information of 2.7 million individuals and some 173,000 businesses.

The employee was, of course, fired but how could this entire incident have been avoided?

The data breach affects around 2.7 million people and 173,000 businesses, more than 40 percent of the co-operative’s clients and members.

The leaked information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.

Desjardins said the passwords, security questions and personal identification numbers of their members were not compromised, but clearly had Desjardins put into place controls for privileged account users, like the disgruntled employee, the entire incident would never have happened.

The breach looks to be one of the largest ever among Canadian financial institutions, according to Claudiu Popa, who heads the data security firm Datarisk Canada.

“There is no one at Desjardins who can turn on their computer in the morning and get access to the information of all our members,” said Cormier. “We’re a lot more secure than that.”

The suspected employee apparently created a scheme to win the trust of his colleagues then used their access, and his own, to extract valuable data from the organization.

“Internal fraud is the fraud that is the most difficult, the most complex to detect,” Cormier added.

Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.

“I want to be really clear,” said Cormier. “Our members will be reimbursed [for any losses they incur.] There will be no cost to our members.”

Why suffer the enormous expenses associated with breaches like these, including hard costs (like providing security services for identity management to end-customers) and reputational costs, which are more difficult to measure but harmful to the brand?

There are solutions in place today, and every CXO and board member should be aware of them.
Ironsphere helps enterprises secure their networks with Access Control Security software and solutions, helping organizations reduce risks and operate more efficiently – and avoid the costs and headaches associated with breaches of trust, especially those caused internally – whether maliciously or accidentally.

Learn more here.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more