Canadian financial services cooperative Desjardins recently revealed that it suffered a data breach due to its failure to effectively secure its systems, causing it to earn criticisms from Quebec’s privacy watchdog, said CBC.
The incident led to the exposure of around 9.7 million Canadians, with seven million based in Quebec, as per Diane Poltras, president of Commission d’acces a I’information.
Canada’s privacy commissioner Daniel Therrien said in a press release, “Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.”
Therrien added, “The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach.” The incident involving Desjardins is considered the biggest data breach in the financial services industry in the country.
The incident occurred for at least 26 months with the action of a “malicious” employee who copied information from Desjardins’ two data warehouses. The data copied includes personal and sensitive info of the company’s customers.
The employee had limited access to the info warehouses. The malicious actor gained access to the data that they leaked because other employees needed to regularly copy info onto a shared drive as part of their jobs. The malicious employee has access to the shared drive.
Therrien commented that it is improper that a large company like Desjardins did not place proper security measures to prevent the incident. He said, “Canadians expect banking information to have a high level of protection, given its sensitivity.”
An investigation by federal and Quebec commissioners revealed that the company has a string of security gaps in its setup.
Gaps found in the firm’s administrative and technological system include a lack of proper application of policies for managing sensitive info, inadequate access control and data segregation, and a lack of employee training and awareness.
Additionally, the commissioners found a lack of procedures regarding the regular destruction of personal info.
Regarding the actions taken by the company to secure its systems, CTV News said that the company has implemented tighter controls. It also assembled a team of 900 security officers with a budget of at least $150 million back in 2019. It has expansion plans for 2021.
According to the firm, “Desjardins has made great strides in information security over the past 18 months and will continue to apply international best practices.” It also said that it will continue to work with other partners to create a digital ID system for Canadians.
