Massive Desjardins breach will happen again due to lax regulations, zero punitive measures: cyber expert
The laws in Canada around personal data protection lack the bite says a cyber security expert after Desjardins Group went public last month about a data breach that exposed nearly three million of its customers.
“Until you get the laws where you’re actually going to be fined, you’re going to see a lot of these things continue,” said Sem Ponnambalam, president of Xahive, an Ottawa-based cyber security firm.
Québec’s privacy commissioner and the federal equivalent have since opened investigations into what Desjardins reported on June 20, 2019 was an inside job by an employee who raided sensitive data, including SIN numbers and personal banking habits.
The credit union also admitted that it had no idea of the theft until Laval Police brought it to the company’s attention the week prior.
Ponnambalam said despite how the breach occurred, principles for cyber securing an organization from the outside can be applied to physical theft by insiders as well.
“If they had cyber security protocols in place, Desjardins would not have happened – if an employee’s computer can be compromised from the outside, why would certain employees need access to everything?” she said.
“And just because you’re an executive, doesn’t mean you need access to the entire vault.”
While Desjardins has apologized and offered affected customers credit protection, because there is an ongoing police investigation, few details about the employee are known.
A Desjardins spokesperson told The Post Millennial that more details would likely come from Laval Police.
“The outcome of unauthorized and illegal use of our internal data by an employee who has since been fired,” is all that Desjardins provided in their June 20 statement.
A TVA Nouvelles report claimed the source of the breach was a 37-year-old consultant with “keen computer knowledge” and others may be implicated. Update: On Friday (July 12) Le Journal De Montréal reported that Sébastien Boulanger Dorval was arrested in June and released without charges.
But whether state sponsored cyber larceny, hacktivism or the thievery of a now former Desjardins employee, the crime is a national security concern says the chair of Parliament’s public safety committee, who’s reconvened an ‘emergency meeting’ this Monday to learn more about the case.
“I would put this at the top of the list, higher than terrorism,” McKay told TPM. “Because this affects us all, whether its the asymmetric warfare of a country like China, cyber breaches for commercial economic, military managed, or whether it’s some hacker in the basement of his mother’s house. They are all serious issues.”
Like Ponnambalam, McKay said “there is a legislative deficiency” for holding private sector firms more accountable; “the theft is a criminal code matter and really out of our jurisdiction, similar with civil liability issues.”
Consider the Office of the Privacy Commissioner’s determination on the Equifax Canada’s credit ranking service that got hacked in 2017, exposing nearly 19,000 records belonging to Canadian citizens, among more than 145 million customers worldwide.
In the UK, Equifax was slapped with a maximum $1 million (USD) fine and in the United States, the same company for the same breach cut a deal with federal regulators that included spending $1.5 billion to upgrade cyber security and practices.
Back in Ottawa and guided by a toothless Personal Information Protection and Electronic Documents Act, governing data protection for commercial activity in Canada and internationally, The Office of the Privacy Commissioner delivered little more than admonishment.
Yes, Equifax breached the act on a number of fronts due to poor security the commissioner’s report indicated, and so the company had to promise to improve its network defences and its handling of client data.
Asked about this slap on the wrist, McKay said that in the absence of any harsher penalties, civil litigation remained the best hope for companies like Desjardins and Equifax from protecting customer data.
“It may well be that one of the benefits that it starts to dawn on some of these companies, that if they don’t do everything up to a 100 percent, they are going to be facing massive lawsuits,” said McKay. “To the point where maybe the viability of their companies is in jeopardy.”
Ironically, the committee McKay chairs released its own report about cybersecurity in the financial sector the same day Desjardins went public. The committee’s first recommendation kicks the issue down the road to the next government’s committee as an item to continue monitoring.
“We’re certainly behind the curve as far as regulatory authorities are concerned,” McKay admitted.
In addition to breaches Equifax and Desjardins, exposure of personal banking and credit information in Canada was reported in May of 2018 by Bank of Montreal and CIBC’s Simplii Financial lost data on 90,000 customers to hackers who demanded $1 million not to release the intel.
Following their acknowledgement of said breach, former Ontario Information and Privacy Commissioner Ann Cavoukian slammed the banks, who merely informed customers to “monitor” accounts for suspicious activity and promised to shore up security.
“They should have been doing that from the beginning,” she told CTV in a television interview. “I expected them to have the highest level of protection possible, and clearly they didn’t.”