Desjardins Bank: Data of 2.9 Million Customers Stolen

Back in December 2018, the bank had noted a suspicious transaction and reported it directly to Laval police (Quebec). Since then, the bank has worked closely with authorities to investigate the incident and find the offender responsible for the transaction. The true extent of the incident was revealed only recently, and police informed Desjardins about this on June 14th, 2019.

A member of the bank’s IT department had abstracted and passed on the data of over 2.7 million private customers and 173.000 business customers. This incident is not an example of a hacker attack from outside – it is an example of data abuse from within. For Desjardins, this fact is especially bitter to digest because the damage done to the bank’s image is likely to prevail for years to come.

The perpetrator was able to bypass security measures that were designed to prevent a single person from being able to access all customer records. It is without doubt that Desjardins‘ access governance was not sophisticated enough to prevent the attack. The culprit was immediately fired and arrested by the police.

Private customers had their personal data stolen, including first and last names, DOBs, social security numbers, addresses, phone numbers, e-mail addresses, as well as details on banking usage and Desjardins products.

Passwords, security questions and pin codes were not affected. The bank immediately made the incident public and informed all persons concerned.

Aside from the damage to the bank’s image and the loss of credibility toward its customers, Desjardins also face significant financial consequences. In a class action lawsuit filed with the Supreme Court of Quebec, the financial institution is being accused of negligence and of failing to fulfill its obligation to adequately protect customer data.

For those affected, damages of 300 US dollars each are being claimed. In addition, Desjardins is offering a 5-year credit monitoring service to all affected customers. The service includes daily access to credit reports, notification of important changes and identity theft insurance.

Ever since the attack became known, the bank has been working with police, authorities and IT security experts to minimize the damage and to guarantee better security in the future.

Quebec’s financial services authority warned that Desjardins’ customers may now fall prey to fraudulent emails, text messages, and phone calls due to the data breach. Scammers may try to contact the victims of the incident under the false pretense of needing to take security measures and wanting to provide updates regarding the event.

The incident demonstrates the immense damage potential posed by internal IT security staff . While businesses fear hacker attacks and try to take great precautions to prevent outside attacks from happening, they often neglect the potential dangers lurking within. What we know for sure is that people can only steal data they actually have access to.

Only sophisticated access governance through an automated platform for identity and access management can provide sufficient protection for your data. Our blogpost Access Management vs IAM covers the differences between these two solutions and outlines which system best suits which business model.