Friday, June 21, 2019

Desjardins: Round two - The truth comes out, do banks really care?

This Friday post is all about commitment.  

I'm going to float an idea and commit to it for the next 72 hours.

FIRM STATEMENT:  The Desjardins data exposure was not performed by IT staff.

Lets review some facts.

  • The CEO stated clearly that he felt completely violated.  He didn't use words that sound more appalled, but used words that really showed he was vigorously violated. 
  • He states without doubt that the information is not for sale on the Dark Web....
  • He states without doubt that passwords, PIN numbers and secret questions have not been exposed...
  • And he stated that this was all performed by an EX employee.
  • The LAVAL police is investigating and not the Provincial Police....
  • The plot thickens....


So here is my stab at the million dollar question:  Who did it.

Someone trusted by the enterprise, working in a department that could obtain this information.  To summarize, names and addresses, birthdates, social insurance numbers, purchasing habits and which products you have with Desjardins.

The social insurance number is often the unique database key used to represent the person, so this piece may even be irrelevant and is irrelevant for my scenario.

So someone trusted who worked with this type of information and someone we fired a few months ago.  So if we fired him, he must have done something wrong, perhaps he had already been loose with the data.

And when banks fire someone they have them sign an agreement that both parties do not talk about each other, and both parties move on.  Hence the reason why Desjardins is not naming him at this point.

So enter round two....   The now unemployed person (who kept a ton of sensitive information even though he declared in his exit interview that he would retain no such data), is now sitting at home starting a new business with this stolen data.  Perhaps something that could be used in conjunction with the type of data collected.   Purchasing habits, banking and insurance adherence data.  

Perhaps this not too wise person approached various people to leverage the data in some way, and eventually someone ratted them out.

This then becomes a breach of contract based on the employee having promised not to keep or use Desjardins data after they got themselves terminated.

It all makes sense with these variables.

Bottom line, Desjardins did not have controls in place to allow for the detection and the accumulation of vaste quantities of data and never knew that their data had left the building.  Or did they..... "but he promised he deleted it".

Wouldn't this scenario make you as the CEO feel violated.

After all, someone you paid to do a job didn't respect you or your semi-binding agreements and now you are faced with the angry public and the ever so inquisitive press.


When someone internally defrauds a bank, the bank is much more stressed about their reputation than the wrong that was done to them.

So if John (taken from a true fraud case I worked) defrauds the bank for $500,000, the banks gets John to sign an agreement, that John is fired and neither party talks about each other going forward and the bank doesn't owe John anything, etc.

So John, crosses the street and goes to work at the next bank and performs the same types of malicious actions, but this time... he does it even better based on the lessons learnt from his first dismissal.... or was it really his first....

Banks need to start pressing charges and publicly exposing these people so that they do not go on to the next victims.

Banks do not care about the big picture or the citizens, they care about their clients perception.

So back to Desjardins, they probably fired him because he was accessing systems without cause and he was exhibiting behaviour that violated policies, or he literally access tons of data and got caught months ago.  Then he promisses to not keep any data, and now we all know why the CEO feels violated.

Desjardins and Equiflop

Initially, Desjardins offered 1 year of credit monitoring but you had to agree to the disclaimer, which was the same disclaimer Equifax tried to push down peoples throats last year.  ** If you agree to the free credit monitoring service you agree not to sue us.

Maybe someone is reading my blog, because they moved the 1 year up to 5 now, and someone seems to have removed the disclaimer.  Guess we will see when the physical letter gets mailed out next week.

Banks, please commit to being a better digital citizen.  Impose strict rules, AND enforced strict penalties.  Don't let your shit employees go to work somewhere else doing the same thing they did to you.  I know your lawyers disagree, maybe they are part of the problem.

Happy long weekend to all my friends in Quebec, and remember the old security moto:



Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...