One Malicious Insider Leads to $155M Settlement

Canada’s Desjardins Settles Data Breach Lawsuit for $155M
Highlights the risks posed by insider threats and lack of information segmentation.

The cost of the settlement adds on to the costs the bank has already carried resolving the breach they discovered in 2019.

The breach, which was publicly disclosed in June 2019, involved a “malicious” insider stealing and selling personal details for 4.2 million active customers of the credit union group in addition to 1.8 million credit card holders from outside the member base over the course of 26 months.

The settlement, submitted to the Superior Court of Quebec on May 24 and approved Tuesday, will provide nearly 201 million Canadian dollars ($155 million) to class members.

“This action follows the public announcement by Desjardins that on June 20, 2019, a former employee stole and transmitted to third parties the personal and confidential information of millions of its members and customers, including their names, dates of birth, social insurance numbers, as well as certain information on their transactional habits and the products they use,” according to court documents.

This settlement agreement doesn’t resolve every lawsuit filed against Desjardins over the breach. One proposed class action lawsuit, filed in British Columbia in June 2019, remains ongoing.

How Data Breach Occurred
In 2020, the Canadian Office of the Privacy Commissioner issued a report into Desjardin’s compliance from 2017 to 2019.

The OPC found that the compromised information was being stored in two data warehouses: one for credit data and another for banking. While the banking data warehouse was segmented and access to confidential information was restricted, it found that no such controls were in place for the credit data warehouse and that anyone with access to that store of data could view everything being stored.

In addition, it found that marketing employees with sufficient access rights were regularly copying confidential information from both of the data warehouses to a shared marketing drive. “Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely,” the OPC reported. The insider appears to have had access to the shared marketing drive. The OPC found that “between March 2017 and May 2019, the malicious employee copied . . . personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer and then onto USB keys.

Exposed information included “first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories,” which in various combinations could be used to perpetrate identity theft, the OPC found.

When it comes to your information security it’s not just the outside threats we need to keep an eye on. It’s important to ensure that sensitive information is only accessible to those with appropriate credentials, as opposed to the marketing nitwits.

If you have questions about your IT security in the ever-changing threat landscape, call ITPAC today.