44 comments

[ 4.5 ms ] story [ 106 ms ] thread
> The federation's CEO and president, Guy Cormier, said the security breach is not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.

> That employee has been fired.

> Cormier said he felt "betrayed" by the former employee's actions.

Fired? How about arrested?

There is an ongoing criminal investigation as far as I know.
(comment deleted)
(comment deleted)
The article:

> That employee has been fired. He was arrested by Laval police but has not yet been charged.

The article is getting edited live. It was not in the article when it was first posted by OP but thank you for pointing that out!
Letsee, 5 minutes of wasted time per impacted client (and that’s just to interpret and ignore the notice) * 2.9 million people = 28 years of life lost by one action.

Basically a murder in terms of aggregate impact.

Wasting 10s of 5 billion people's time = 1585 years of life or 27 lives, but I think most would agree killing 27 people is far worse. You can't really equate the two.
These comparisons happen all the time in government.

Do you get more value out of spending $1m (ie: 100 000 person hours of taxes at $10/hr) on saving a few people's lives through improving a highway's safety, through a vaccination program, or an exercise program?

Or just let people keep an extra $10, take an hour off work, and lose 0.0003% of their life (on average!) by increasing their risk of harm in a highway collision?

Lol with that logic most developers who implement an annoying pop up banner subscription/greeting chain combo on a high traffic site are committing an action equal to murder
The maintainers of uBlock Origin have a lot of "Get out of Jail" credits to exchange if they ever need to.
(comment deleted)
> The information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.

Oooof.

> However, Desjardins said, passwords, security questions and personal identification numbers have not been compromised.

Well that's a relief! Glad the things that are easy to change are safe.

It's very bad from a privacy standpoint but at least nobody will be able to log-in to my account and send all my money offshore.
Instead they can steal your identity and open accounts in your name. Banks can automate the changing of passwords and PINs by requiring the former information to change the latter. But once it's out there, it's gone forever.
I know identity theft is not a joke, but (I'm too lazy to check how does it work in Canada, this is for the US):

• Under most state laws, you're not responsible for any debt incurred on fraudulent new accounts opened in your name without your permission.

https://www.consumer.ftc.gov/articles/pdf-0009_identitytheft...

That still requires work on the behalf of the person whose identity was stolen. Affidavits signed, letters mailed, etc. Also vigilant monitoring of your credit details afterwards.

Even if you are not monetarily charged, it's still a giant pain to recover from.

How easy would it be to recover funds from an account that has been compromised and emptied? Honest question, I have no idea.

Anyway, I don’t know how many fraudulent accounts are opened in Quebec each year using stolen identities but if the fraudster has three millions of identities to choose from (one third of the population) you may have bigger risks to worry about.

Unsure about how it would work on a very large sum, or in Canada, but I had a wallet stolen several years ago and had to sign an affidavit describing what happened. Someone had gone to Best Buy and spent like $400, and the bank returned it after a few weeks.
But on whom rests the burden of proof?
fuuuck

> Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.

> "I want to be really clear," said Cormier. "Our members will be reimbursed [for any losses they incur.] There will be no cost to our members."

Not bad.

No clear mention of whether those impacted will be notified though.
I was impacted by this and was notified via internal message (on the Desjardins AccesD online banking portal).
Is 12 months ever enough monitoring?
According to them, there's permanent monitoring in place. This free paid plan is simply a bonus.

    We introduced additional monitoring and security measures to protect your personal and financial information.
    
    We notified the following authorities: the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec and the Autorité des marchés financiers.
In this world of NSA, data leaks and FAARG, the only way forward is undocumented births and backwoods medicine to avoid personal information being at the mercy of the state, corporations and criminal organizations.
If it was possible for an employee to "access and share" 2.9m datasets, it's the company's fault. No matter who the employee is, if you don't have safeguards in place as a credit union, you aren't doing your job. Like, at all.
How should you do your job so no employee has access to that information? I’m sure they could have been more careful, but the risk cannot be completely eliminated without going to impractical extremes...
Scope of Access Request is the usual implementation.

An employee should not be able to iterate millions of records without first asking for temporary powers.

You set the scope by measuring the usual required, and putting in a procedure for when and how much various supervisors can expand it.

Different departments will have different needs.

This stuff is already built in to industry standard software like SAP.

shakna already gave some good points, but a major one is the shared part.

Even if it's an admin that moves around a backup file from server a to server b, you don't allow anyone to bring in and connect USB drives. You don't allow personal laptops to access files (on that level - accessing a frontend is fine, see access limits) that leave the premises. That's not impractical, it's not extreme, it's just what you do when you handle very important data of millions of users.

Making sure nobody can access data wholesale is step one. You will fail at some point for some reason. Making sure no one can exfil large amounts of data is step two. If he wants to go James Bond on you and use a small camera to photograph his screen, good. Data leaks suck, but this way, it will affect a hundred people, not 2.9m.

Sure, but you need processes to get all the names and adresses every time you send statements by mail, for example. Someone somewhere needs to be able to access the data. Not “everyone”, but not “nobody” either. How do disable access from database admins? Do you keep all the listings in microfilms in a safe in a guarded room in the basement?
No, you do what he explained. Those DBs might have access to the customer DB, but no USB on those system.That access would also be logged at another location, listing date/time/user. It might also require a sign off from a manager/team that reviews record access of more than say 10,000 clients, etc. DBs would be informed of all these security factors, to desuade individuals from making bad choices.

Individually, none of the above would stop this kind of breach. Altogether, and it might be enough. You amply defense in depth

> The information includes names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.

It's starting to look downright irresponsible to regard such information as private these days.

As such, it should be considered irresponsible to base any portion of a verification protocol on that information.

This isn't surprising, As is with everything with Québec, Desjardins is a Québec based business. They will still retain their customer base. Their site's UX was so bad that I didn't use them as my bank. Their English customer service sucks too. Glad I made that choice. A data breach is still a data breach even if it was by a rogue employee.

By the looks of it, Quebec's Communauto is next in the line.

So the bank itself didn't found out the issue but was told by the police, I'm really curious about monitoring process at banks...
I've been looking into this recently Because Reasons. The story's pretty poor in most places.

Brian "Krebs on Security" Krebs wrote a bit in March 2018 on the state of bank online security. Virtually all of it is outsourced to a handful of major service providers: Fiserv, Jack Henry, FIS, CSI, and Finastra.

https://krebsonsecurity.com/2018/03/what-is-your-banks-secur...

I don't find any indication of what Desjardins' security is based on.

IME, It's very, very, very common for law enforcement to be the ones that first detect signs of a breach and track it back to the affected company, at banks and elsewhere.
(comment deleted)
(comment deleted)
As a retired IT Exec (I worked in Cdn banking for over a decade) this kinda thing used to keep me up at night!

To mitigate the risk I wanted to implement a blanket USB plug-n-play restriction but the client-side Execs overruled me. Fortunately a leak never happened, but really it was just good fortune.

As a current IT exec in banking, a thing that keeps me up at night is the “go to” strategy of compromising employees’ ability to use productivity tools for “security”.

If you follow the lock-it-down strategy to the max, you eventually unplug the computer and keep it in a vault. Since you wouldn’t do that, that means you recognize that security can’t be at the expense of all utility.

So what is the right amount of utility to sacrifice in order to achieve security?

I’d argue — try for none. Make infosec the happy path.