Canada’s largest financial services data breach was caused by a series of gaps in administrative and technological safeguards, federal and Quebec privacy commissioners said in a report issued this morning.
“[Desjardins Group] did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” said Daniel Therrien, Privacy Commissioner of Canada. “The organization’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the mitigation measures offered to those affected and the commitments made by Desjardins.”
Discovered in June 2019 not by Desjardins but by a police department, the data breach involved 9.7 million active and inactive files of individuals with accounts at Desjardins credit union branches, largely in Quebec and Ontario, and some abroad.
Data copied by an unnamed staffer in the marketing department onto a USB stick and allegedly sold to a private lender included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.
The report notes the unnamed employee was described by Desjardins as, “a skilled and high performing employee, and who was a key resource for many of his colleagues.”
Desjardins had recognized some of the security weaknesses that ultimately led to the breach — including the ability of staff to use unapproved storage devices like USB drives — and had a plan to remedy them including implementing data loss prevention technology, the commissioners said in the joint report. “Nonetheless, it failed to rectify the issues in time to prevent what happened. Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police.”
While Desjardins “invested a significant portion of its overall information security budget to fight against external threats,” the commissioners said, “in our view, the absence of a culture of vigilance against internal threats significantly contributed to the breach.”
The federal Personal Information Protection and Electronic Documents Act (PIPEDA), obliges organizations to protect personal information with security safeguards appropriate to the sensitivity of the information. “This represents a significant, but nonetheless crucial task for a financial institution with complex systems and that maintains a large number of business relationships,” a summary of the report said. But Desjardins violated PIPEDA requirements in accountability, retention periods, and security safeguards, the report said.
At a press conference Therrien said it was “fairly startling” that almost half of the stolen data — 4 million files — involved people whose banking or credit card accounts had expired and shouldn’t have been kept by Desjardins. PIPEDA says Canadian organizations that fall under the law can only retain personal information needed for commercial reasons.
The investigation into the breach at Desjardins highlights the risks of insider threats. The report says the Office of the Privacy Commissioner stresses the importance of vigilance and a holistic approach to addressing and mitigating the impact of such threats.
For at least 26 months the unnamed employee exfiltrated sensitive personal information to an unknown person or persons, said the report.
This information was originally stored in two data warehouses to which the malicious employee had limited access: The credit data warehouse and the banking data warehouse. Access to the banking data warehouse was segmented according to whether the information was confidential (which included personal information) or non-confidential. But the credit data warehouse wasn’t segmented, and employees with the necessary authorizations could access all of the data, including personal information.
“Our investigation revealed that in the course of fulfilling their duties, certain employees from Desjardins’ marketing department copied the compromised personal information from both data warehouses to the marketing department’s shared directory accessible to all employees of the department. These employees had the necessary authorizations to access the data warehouses, including confidential information (and personal information). The employee identified by Desjardins as the source of the breach, referred to in this report as the ‘malicious employee’, did not have access rights to personal information held in the banking data warehouse. However, he did have access to other non-confidential information contained in this warehouse.
Each month one or more employees performed an automated transfer of personal information from the credit data warehouse to their user folder(s) in the marketing department’s shared drive. Other employees in the marketing department copied confidential personal information from the banking data warehouse to a shared drive. Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely.
Between March 2017 and May 2019, the malicious employee copied this personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer and then onto USB keys. This, the report says, was in contravention of the confidentiality agreement he signed in the course of his employment.
The privacy commissioners’ couldn’t trace where the data went. According to media reports, they noted, the malicious employee is suspected of having sold some of the personal information to a private lender. Some of the information was reportedly then forwarded to a second private lender, who was also a mortgage broker, and his partner, an investment and insurance advisor. This partner allegedly admitted to investigators from Quebec’s Autorité des marchés financiers that he paid $40,000 to buy lists of Desjardins members’ personal information.
Police are still investigating.
In response Desjardins issued a release saying that since the breach was discovered it has implemented a number of changes to improve the protection of personal data. These include stepping up the pace of “efforts to create one of the most secure environments of any financial institution,” creating a Grup Security Office which will have a budget of $250 million next year, and appointing a Chief Data Officer to oversee information security, data security and data warehousing best practices, creating a security intelligence centre. Desjardins has to report to the privacy commissioners every six months on its progress in tightening data security.
The report says:
- Desjardins failed to ensure the proper implementation of its policies and procedures for managing personal information, some of which were inadequate, to begin with;
- From a technological standpoint, the access controls and data segregation of the databases and directories were inadequate;
- Employee training and awareness were lacking considering the sensitive nature of the personal information the organization was entrusted with;
- Desjardins had not implemented retention periods or procedures regarding the destruction of personal information.
Desjardins had no shortage of directives, policies and procedures for protecting personal information, the report notes. In fact, there were 13 of them. But, the report adds, certain relevant policies and procedures were incomplete or had not been implemented. Examples include the personal information retention schedule, standards for managing shared directories, and granting high-level privileges, as well as rules governing the use of confidential personal information extracted from the banking data warehouse.
“In our view, Desjardins’ most significant failing in this area is with regards to the implementation of its policies and procedures,” the report says. “Despite the existence of many, we identified several examples of Desjardins having failed to take the necessary steps to ensure their complete and integrated implementation.”
For example:
- Desjardins’ Standard de sécurité sur la protection des données [Security standards for data protection] specifies that only authorized personnel may access, disclose or modify information. It also specifies that confidential information must be protected throughout its life cycle and that all owners of electronic document repositories containing secret or confidential information must ensure that accesses and permissions are managed to ensure confidentiality. Desjardins did not implement safeguards to prevent or control the transfer of confidential personal information from the data warehouse to folders accessible to unauthorized employees and from there to computers and removable storage devices, the report says;
- The Standard Mouvement sur l’utilisation des technologies [Desjardins directive on the use of technology] prohibits the storage of personal information on devices that do not belong to the organization. Despite the existence of this directive, the report says, Desjardins’ systems did not prevent the use of personal removable storage devices. Desjardins had identified this issue before learning of the breach or how the malicious employee extracted the compromised personal information. Even though Desjardins was in the midst of deploying a solution, which would have ultimately eliminated the use of personal storage devices, it failed to prevent the breach.
- The Standard de Sécurité sur l’utilisation de données confidentielles ou secrètes hors des environnements de production [Security standards on the use of confidential or secret information outside of production environments] states that transfers of secret data outside of a protected production environment are prohibited unless the data is first removed, masked or replaced by a dataset. It also states that employees must submit a request and have it authorized before transferring any confidential data to a non-production environment. The report says the breach demonstrates that, despite these stipulations, it was possible to transfer confidential personal information out of the protected production environment without masking it or making a transfer request.
“While many of the malicious employee’s actions were clearly contrary to several of Desjardins’ policies and procedures,” the report said, “it should be noted that employees with legitimate access rights downloaded files to shared sub-folders in the shared drive that was accessible to all marketing employees. These actions constituted non-compliant processing according to Desjardins’ policies and procedures, and did not follow best practices. This raises the question of whether the [security awareness] training provided made them sufficiently aware of the importance of maintaining the confidentiality of personal information, and of the serious consequences of making personal information accessible to unauthorized third parties.”
In comments to reporters Therrien noted that data protection is hard, but organizations the size of Desjardins have the financial ability to do it. In particular, he said it was “unacceptable that they did not have active [employee] monitoring systems. They had passive monitoring. You need to have proactive monitoring. And large companies need to be in a position to that.”
He also complained of the “lack of proportionality” between the “massive volume” of personal information companies collect and the resources devoted to data protection. “The trend is when we [at the OPC] investigate complaints we often see the lack of proportionality.”
Therrien noted that under the proposed new federal private sector privacy law a tribunal would have the power to fine an organization millions not only for violating the law but also for not having sufficient data safeguards.
Asked what can be done beyond fines to get companies to put more resources into data protection, Quebec access for information commissioner Diane Poitras said giving individual consumers the right to sue firms [which is included in the proposed federal legislation] might help. “Unfortunately,” she said “sometimes financial loss is the biggest incentive for businesses.”
Therrien agreed. “It’s an unfortunate truth that the bottom line is important.” But also, he added, “it’s a question of [consumer] trust at the end of the day.”
“Technology is complicated and these companies have large and complex systems to operate,” Therrien added. But companies monetize personal information in their operations and they ultimately make profits. That is normal in a market economy. But it is important, as this case and others show, that it is important for companies small and large to take appropriate measures.”
(This story has been updated from the original to include comments from the commissioners’ press conference)