Commentary: The Desjardins Breach and the Rise of the Insider Threat

You may already know that Desjardins, a large financial institution based in Quebec, Canada, announced an internal data breach back in June. If you missed the news, here’s Desjardins’ official press release:

“On June 14, 2019, the Laval police contacted Desjardins with information confirming that the personal information of more than 2.9 million members had been shared with individuals outside the organization. This includes 2.7 million individual members and 173,000 business members.

This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired. In light of these events, and given the circumstances, additional security measures were put in place on all accounts.”

Internal data breaches are no laughing matter. Disgruntled employees and contractors are a significant internal cyber attack threat that often gets overlooked.

Desjardins may say that the incident isn’t a cyber attack. But in my opinion, deliberate internal data breaches are pretty obviously cyber attacks. An attack is a malicious action of some sort, and “cyber” pertains to anything that has to do with computers. So – cyber attack.

Thinking of external attacks as the main threat is understandable though, and handling the potential PR fallout from cybersecurity incidents is a challenge either way.

What can be done to reduce the risk of falling victim to an attack by a malicious insider?

Cybersecurity Experts weigh in on the Desjardins Breach

Desjardins deserves kudos for publicly acknowledging the incident less than a week after it was discovered. Canada’s law pertaining to data breaches is the Personal Information Protection and Electronic Documents Act (PIPEDA), and the law doesn’t specifically mandate a timeframe for reporting data breaches, unlike the General Data Protection Regulation (GDPR) in the European Union. Desjardins did a bit better than what is required by Canadian law. Also, Desjardins' competitors in Canada's financial services industry face the same cybersecurity threats.

So those are my views. I wanted to get some fresh viewpoints from other cybersecurity professionals whose expertise I respect. So I asked them for their opinions. Here’s what they shared with me.

Duncan McAlynn, CEO of Operandis, said:

“This data breach is particularly nasty, as it illustrates the reputational, legal and financial losses that can occur as a result of insider threats. Organizations today can no longer focus exclusively on monitoring and protecting the perimeter networks, they must also center on the human perimeter as well. Early detection with User Behavior Analytics (UBA) and Data Loss Protection (DPL) technologies can help warn when there is a potential player in your midst.”

Cybersecurity Writer Anastasios Arampatzis said:

"Reviewing the Desjardins events and statement, I would like to note two issues: insider threat and crisis communications.

First of all, insider threat. To call this event "not a cyber attack", as the communique reads, implies that you are not aware of the meaning of a cyber attack. Cyber attacks are not only due to external factors but also - and most important - due to internal factors. Any event or incident that violates confidentiality, integrity, and availability of your assets or resources is a cyber attack. Trying to baptize it with other names implies arrogance and ignorance.

This leads to my second thought: crisis communications. The Desjardins statement shows distrust and does not create a sense of safety and security for its customers. Was the employee the only one to blame? What made him act this way? What measures have you taken to ensure that this incident will not happen again? Why did it take you four whole days to go public?

If I was a Desjardins customer I would be worried more because of their reaction and less of the original event. Crisis communications are the number one asset for mitigating and minimizing the impact of such an event. If you cannot instill trust upon your customers, then most probably you will suffer tremendous reputational damage. There are numerous examples of effective cyber incident communications, such as the one of Maersk following the WannaCry attack. Crisis communications must be a strategic choice for every organization."

Quebec-based Cybersecurity Instructor Steve Waterhouse said:

“What was revealed last Thursday is simply normal after so many years of complacency, especially in the French-Canadian culture, where everyone believes it will only happen to someone else, not to us. So, this incident is a big wakeup call. Desjardins hosted a fraud and security forum on May 9th and 15th. I went to the one in Laval on the 9th, only to witness the culture of ‘just making things right’ again, not teaching their employees what’s at stake.

My point here is they handled the PR tsunami well, navigated through the storm. But it shows how companies are handling IT security in a reactive way. If Desjardins would have done their TRA correctly, the internal employees working with the data would have scored high in the probability of it happening. It may have gotten proper risk mitigation.”

Independent Security Researcher Sean Wright said:

"This breach highlights the risk malicious insiders can pose to an organization. Employees can have access to a tremendous wealth of data. Unfortunately, some employees will use this access for malicious purposes. Organizations need to understand that sometimes an employee's motivations can change over time and in some cases, unfortunately, they could become more malicious and result in the employee performing malicious actions.

It is important for organizations to try where they can put monitoring into place to identify and alert when an employee performs actions which could be deemed out of the ordinary for that employee (behavior-based monitoring is an ideal example).

Having said that, trying to detect and prevent such instances is still hard and those who determined and sophisticated enough will likely be able to bypass these measures. Thus, it is important to also have a prepared plan when a breach does happen. This should include steps for notifying any affected customers, plans or details on how to learn and prevent future incidents, and an incident response plan.

Lastly, the best practice to follow is the principle of least privilege. Only allow employees access to data which is essential to their role.”

All companies that deal with financial data face the same sort of internal data breach threats that Desjardins contended with.

Hopefully, by being candid about such incidents, as Desjardins has done, the industry can improve and strengthen itself against future insider attacks.