Employee misconduct is among the biggest worries of CISOs. They hope staffers can be trusted so the focus is on external threats. And the fact is most cyber incidents will come from outside the firewall.
However, rogue employees can bite you. Quebec based credit union Desjardins Group found that out earlier this month when it learned a staffer had, in its words “shared” the personal information of more than 2.7 million individual members and 173,000 businesses with a person or persons outside the institution.
The institution, which has branches in Quebec and Ontario, gave some details Thursday.
It’s one of the largest publicly-reported data breaches among Canadian financial institutions.
Data of individuals exposed included first and last name, date of birth, social insurance number, address, phone number, email address and details about customer banking habits and Desjardins products. Data exposed of business customers included addresses, telephone numbers, and the names of owners and AccèsD Affaires account users. Some information about owners or AccèsD Affaires users may have also been also been taken.
Passwords, security questions, and personal identification PIN numbers were not compromised.
“This incident was not a cyberattack,” the bank said in a statement. Desjardins computer systems weren’t breached during this incident, it emphasized.
The employee has been fired and police from the city of Laval are investigating. According to the CBC, Dejardin turned to the force last December after becoming suspicious about a transaction. However, apparently it was only this month when the data theft was confirmed.
The Globe and Mail quoted Desjardins chief operating officer Denis Berthiaume as saying the employee was “a data specialist, who connived to get access to information he should not have had access to, and transferred it to a third party,” The Globe also said Dejardins doesn’t know who the data went to.
The most recently-reported breach of security controls at a Canadian financial institution was last May when the Bank of Montreal and CIBC’s Simplii Financial suffered data breaches with a combined total of 90,000 accounts hit.
To combat insider threats organizations often use behavioral analysis software, which looks for abnormal behaviours as a suspicious sign. However, that might not be noticed if the staffer has legitimate access to sensitive data.
While many surveys of CIOs and CISOs suggest insider threats are among their biggest concerns the extent of the threat isn’t clear. According to the annual Verizon Data Breach Investigations Report, which looks at hundreds of security incidents around the world, on average insiders are responsible for no more than 30 per cent of breaches.
Depending on the source as a category insider threats also include innocent misconfiguration of hardware and software.