The recent incidents of identity fraud that victimized certain account holders at the Bank of Canada might be a wakeup call for organizations to take a “holistic” approach to security, according to an IT security analyst.
Corporate IT security is not just about protecting against external attacks like worms and viruses, but it’s also about recognizing the potential of internal threats, said Joe Greene, Ottawa-based vice-president, IT security research for IDC Canada. “You can have the best firewalls in the world, but if you let your guard down internally, you’re still going to get burned,” Greene said.
Earlier this month, the Ottawa RCMP and Ottawa Police Service arrested two individuals in connection with incidents of identity fraud that victimized eight account holders of the Canada Savings Bond (CSB) Payroll Savings Program to the tune of about $100,000 in total, according to a Bank of Canada press release.
The two unnamed individuals arrested were former employees of EDS Canada Inc., read a statement issued by the RCMP. EDS is the third-party outsourcer that has provided back-office administration and support for the Bank of Canada’s CSB program since September 2001, the Bank of Canada said.
“I think this is a clue to anybody that is going to be outsourcing that they…need to make sure that the people they are outsourcing to are hiring [only] credible people,” Greene said.
The analyst pointed out, however, that the Bank of Canada incident should not be construed as a point against outsourcing in general, but should focus on the “people and process” that outsourcers have in place.
Meanwhile, EDS Canada said that this incident did not indicate a flaw in its security policies.
“It’s important to note that the incident that resulted in the arrests that were announced [by the RCMP] is the result of a system that works and not of a system that doesn’t work,” said James Toccacelli, EDS Canada’s director of communications.
Toccacelli explained that the investigation stemmed from an alert reported by both the Bank of Canada and EDS to the Ottawa law enforcement agencies. Last December, EDS detected some unusual activities in certain CSB holders’ accounts, which prompted EDS and the Bank of Canada to investigate further.
The initial probe led the two companies to conclude that there were some “troubling tendencies” involving the accounts in question, and that’s when the RCMP and the Ottawa police took over the investigation, the EDS director said.
While the RCMP has disclosed that the two individuals in custody were former EDS employees, Toccacelli was uncertain whether they were permanent or temporary employees. “I suspect they are two former EDS temporary employees, but I don’t know that for a fact,” he said. The whole process that was undertaken, which led to the arrests, was an indication of how a security system is supposed to work, said Toccacelli.
He explained: “Someone allegedly undertook some criminal activity. That activity was identified; the proper authorities were notified; the procedures were in place that allowed us to reverse engineer what happened, the result of which is the arrest.”
According to the Bank of Canada, the account holders have been notified and reimbursed.
“The bank and EDS are working to review safeguards to protect the integrity and security of Canada Savings Bond Payroll Savings Program accounts,” said Dale Fleck, Bank of Canada’s chief of administration office. “We have strengthened all procedures and are continuing to see where further safeguards can be implemented,” he added.
QuickLink 065004
