> The federation's CEO and president, Guy Cormier, said the security breach is not the result of a cyberattack, but the work of an employee who improperly accessed and shared the information.
> That employee has been fired.
> Cormier said he felt "betrayed" by the former employee's actions.
Letsee, 5 minutes of wasted time per impacted client (and that’s just to interpret and ignore the notice) * 2.9 million people = 28 years of life lost by one action.
Wasting 10s of 5 billion people's time = 1585 years of life or 27 lives, but I think most would agree killing 27 people is far worse. You can't really equate the two.
These comparisons happen all the time in government.
Do you get more value out of spending $1m (ie: 100 000 person hours of taxes at $10/hr) on saving a few people's lives through improving a highway's safety, through a vaccination program, or an exercise program?
Or just let people keep an extra $10, take an hour off work, and lose 0.0003% of their life (on average!) by increasing their risk of harm in a highway collision?
Lol with that logic most developers who implement an annoying pop up banner subscription/greeting chain combo on a high traffic site are committing an action equal to murder
Instead they can steal your identity and open accounts in your name. Banks can automate the changing of passwords and PINs by requiring the former information to change the latter. But once it's out there, it's gone forever.
That still requires work on the behalf of the person whose identity was stolen. Affidavits signed, letters mailed, etc. Also vigilant monitoring of your credit details afterwards.
Even if you are not monetarily charged, it's still a giant pain to recover from.
How easy would it be to recover funds from an account that has been compromised and emptied? Honest question, I have no idea.
Anyway, I don’t know how many fraudulent accounts are opened in Quebec each year using stolen identities but if the fraudster has three millions of identities to choose from (one third of the population) you may have bigger risks to worry about.
Unsure about how it would work on a very large sum, or in Canada, but I had a wallet stolen several years ago and had to sign an affidavit describing what happened. Someone had gone to Best Buy and spent like $400, and the bank returned it after a few weeks.
> Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.
> "I want to be really clear," said Cormier. "Our members will be reimbursed [for any losses they incur.] There will be no cost to our members."
Not in the article, but Desjardins has set up a webpage with information on the leak.[0]
They will send a letter to every clients whose informations were leaked, which will include the code for a free 12-month Equifax (credit report) monitoring.
According to them, there's permanent monitoring in place. This free paid plan is simply a bonus.
We introduced additional monitoring and security measures to protect your personal and financial information.
We notified the following authorities: the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec and the Autorité des marchés financiers.
In this world of NSA, data leaks and FAARG, the only way forward is undocumented births and backwoods medicine to avoid personal information being at the mercy of the state, corporations and criminal organizations.
If it was possible for an employee to "access and share" 2.9m datasets, it's the company's fault. No matter who the employee is, if you don't have safeguards in place as a credit union, you aren't doing your job. Like, at all.
How should you do your job so no employee has access to that information? I’m sure they could have been more careful, but the risk cannot be completely eliminated without going to impractical extremes...
shakna already gave some good points, but a major one is the shared part.
Even if it's an admin that moves around a backup file from server a to server b, you don't allow anyone to bring in and connect USB drives. You don't allow personal laptops to access files (on that level - accessing a frontend is fine, see access limits) that leave the premises. That's not impractical, it's not extreme, it's just what you do when you handle very important data of millions of users.
Making sure nobody can access data wholesale is step one. You will fail at some point for some reason. Making sure no one can exfil large amounts of data is step two. If he wants to go James Bond on you and use a small camera to photograph his screen, good. Data leaks suck, but this way, it will affect a hundred people, not 2.9m.
Sure, but you need processes to get all the names and adresses every time you send statements by mail, for example. Someone somewhere needs to be able to access the data. Not “everyone”, but not “nobody” either. How do disable access from database admins? Do you keep all the listings in microfilms in a safe in a guarded room in the basement?
No, you do what he explained. Those DBs might have access to the customer DB, but no USB on those system.That access would also be logged at another location, listing date/time/user. It might also require a sign off from a manager/team that reviews record access of more than say 10,000 clients, etc. DBs would be informed of all these security factors, to desuade individuals from making bad choices.
Individually, none of the above would stop this kind of breach. Altogether, and it might be enough. You amply defense in depth
This isn't surprising, As is with everything with Québec, Desjardins is a Québec based business. They will still retain their customer base. Their site's UX was so bad that I didn't use them as my bank. Their English customer service sucks too. Glad I made that choice. A data breach is still a data breach even if it was by a rogue employee.
By the looks of it, Quebec's Communauto is next in the line.
I've been looking into this recently Because Reasons. The story's pretty poor in most places.
Brian "Krebs on Security" Krebs wrote a bit in March 2018 on the state of bank online security. Virtually all of it is outsourced to a handful of major service providers: Fiserv, Jack Henry, FIS, CSI, and Finastra.
IME, It's very, very, very common for law enforcement to be the ones that first detect signs of a breach and track it back to the affected company, at banks and elsewhere.
As a retired IT Exec (I worked in Cdn banking for over a decade) this kinda thing used to keep me up at night!
To mitigate the risk I wanted to implement a blanket USB plug-n-play restriction but the client-side Execs overruled me. Fortunately a leak never happened, but really it was just good fortune.
As a current IT exec in banking, a thing that keeps me up at night is the “go to” strategy of compromising employees’ ability to use productivity tools for “security”.
If you follow the lock-it-down strategy to the max, you eventually unplug the computer and keep it in a vault. Since you wouldn’t do that, that means you recognize that security can’t be at the expense of all utility.
So what is the right amount of utility to sacrifice in order to achieve security?
I’d argue — try for none. Make infosec the happy path.
44 comments
[ 4.5 ms ] story [ 106 ms ] thread> That employee has been fired.
> Cormier said he felt "betrayed" by the former employee's actions.
Fired? How about arrested?
> That employee has been fired. He was arrested by Laval police but has not yet been charged.
Basically a murder in terms of aggregate impact.
Do you get more value out of spending $1m (ie: 100 000 person hours of taxes at $10/hr) on saving a few people's lives through improving a highway's safety, through a vaccination program, or an exercise program?
Or just let people keep an extra $10, take an hour off work, and lose 0.0003% of their life (on average!) by increasing their risk of harm in a highway collision?
Oooof.
> However, Desjardins said, passwords, security questions and personal identification numbers have not been compromised.
Well that's a relief! Glad the things that are easy to change are safe.
• Under most state laws, you're not responsible for any debt incurred on fraudulent new accounts opened in your name without your permission.
https://www.consumer.ftc.gov/articles/pdf-0009_identitytheft...
Even if you are not monetarily charged, it's still a giant pain to recover from.
Anyway, I don’t know how many fraudulent accounts are opened in Quebec each year using stolen identities but if the fraudster has three millions of identities to choose from (one third of the population) you may have bigger risks to worry about.
> Anyone whose data was affected will receive a 12-month credit monitoring plan, paid for by Desjardins. That service includes access to daily credit reports, alerts of any changes and identity theft insurance.
> "I want to be really clear," said Cormier. "Our members will be reimbursed [for any losses they incur.] There will be no cost to our members."
Not bad.
They will send a letter to every clients whose informations were leaked, which will include the code for a free 12-month Equifax (credit report) monitoring.
[0] https://www.desjardins.com/renseignements-personnels/index.j...
An employee should not be able to iterate millions of records without first asking for temporary powers.
You set the scope by measuring the usual required, and putting in a procedure for when and how much various supervisors can expand it.
Different departments will have different needs.
This stuff is already built in to industry standard software like SAP.
Even if it's an admin that moves around a backup file from server a to server b, you don't allow anyone to bring in and connect USB drives. You don't allow personal laptops to access files (on that level - accessing a frontend is fine, see access limits) that leave the premises. That's not impractical, it's not extreme, it's just what you do when you handle very important data of millions of users.
Making sure nobody can access data wholesale is step one. You will fail at some point for some reason. Making sure no one can exfil large amounts of data is step two. If he wants to go James Bond on you and use a small camera to photograph his screen, good. Data leaks suck, but this way, it will affect a hundred people, not 2.9m.
Individually, none of the above would stop this kind of breach. Altogether, and it might be enough. You amply defense in depth
It's starting to look downright irresponsible to regard such information as private these days.
As such, it should be considered irresponsible to base any portion of a verification protocol on that information.
By the looks of it, Quebec's Communauto is next in the line.
Brian "Krebs on Security" Krebs wrote a bit in March 2018 on the state of bank online security. Virtually all of it is outsourced to a handful of major service providers: Fiserv, Jack Henry, FIS, CSI, and Finastra.
https://krebsonsecurity.com/2018/03/what-is-your-banks-secur...
I don't find any indication of what Desjardins' security is based on.
To mitigate the risk I wanted to implement a blanket USB plug-n-play restriction but the client-side Execs overruled me. Fortunately a leak never happened, but really it was just good fortune.
If you follow the lock-it-down strategy to the max, you eventually unplug the computer and keep it in a vault. Since you wouldn’t do that, that means you recognize that security can’t be at the expense of all utility.
So what is the right amount of utility to sacrifice in order to achieve security?
I’d argue — try for none. Make infosec the happy path.