A data breach at Desjardins – the largest ever in the Canadian financial services sector – was caused by a series of gaps in administrative and technological safeguards, according to an investigation by the Office of the Privacy Commissioner of Canada (OPC).
The breach was uncovered in June last year after a rogue employee stole and disseminated the personal information of more than 9.7 million individuals, including 4.2 million active accounts. The institution sacked its chief operating officer and IT executive vice president six months later when the full scale of the incident became apparent.
The breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organisation had been notified by the police.
The OPC invesitgation found that personal information was originally stored in two data warehouses to which the malicious employee had limited access. However, other employees, in the course of fulfilling their duties, would regularly copy that information onto a shared drive.
As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so.
States the OPC: "While these practices violated the financial institution’s policies, the technological measures in place to prevent these situations were lacking at the time of the breach."
Privacy commissioner Daniel Therrien, says: "It is difficult to see how an employee managed to exfiltrate Desjardins clients’ personal information for at least 26 months and that the financial institution only initially learned about what was happening from the police. Regulators do not expect perfection, but they do expect data to be protected with measures that are consistent with the sensitivity of the information. This includes systems to detect unusual activity that could be fraudulent."
Desjardins has since implemented a series of measures to tighten its defences, including the appointment of a chief data officer and the establishment of a group security office. The latter unit, staffed by more than 900 security experts, has an investment budget of more than $150 million, which will increase to more than $250 million in 2021.
The instituion will be expected to provide the OPC with progress reports on a bi-annual basis.