Thursday, June 20, 2019

When the banks drop the ball - Desjardins leaks all their clients data.

CBC NEWS - Personal data of 2.9 million people leaked from Desjardins

Often, so many things are wrong with these press releases that it is easy for me to critique them and sometimes laugh.  In fact it is almost a guilty pleasure for me.

The news headlines state that 2.9 million Desjardins clients have been exposed.  
It should simply say that all Desjardins clients have been exposed and remove the ambiguity since that is the actual fact.

Why is the number important?  It is not.  Desjardins is the biggest credit union type bank in North American, and a subset of all their client data has left the building.   This could happen to ANY bank, so I am not getting on the bandwagon that Desjardins did or does a poor job.  This is far from the truth as they are often a reference in cybersecurity practices.  Like everyone, they have weaknesses the can sometimes be leveraged.  A malicious employee is near impossible to totally contain.   But I can still poke fun at the news articles....

So... they also use the word SHARE, as in a former employee shared the data.  Who the hell did they share the data with!  They stole the data.  Stop using soft words that make it sound like they hit the wrong button on Facebook!  Also, at this point, it isn't someone they fired, I hope it is someone they are pushing for criminal charges for.

A big piece remains, I fail to see anything in these articles that tell the consumer what to expect as far as repercussions down the road.  I don't want to steal the punchline from them, but you may end up owning a mortgage or a credit card that you never asked for ;-)

Data Loss Prevention (DLP)

Enterprises are constantly faced with the desire to deploy a DLP.  In fact, since the cybersecurity industry has an acronym for it, this means that it is a big problem, and big money is involved.

Not a week goes by that someone isn't talking to me about deploying the latest and greatest DLP solution.

The fact is, these solutions reduce risks involving accidental exposure but hardly make a dent in someone internal wanting to actually steal your data.  These solutions rely on many factors and ingredients to yield benefits and almost every enterprise I visit is missing most of the required ingredients for a DLP project to be a success.

Now take Desjardins.  They are big (by Canadian standards), and they invest significant sums in everything relating to security.  They don't a a security person, they have security teams (with an S).

When a rogue technology person decides to pain outside of the lines, you are in for an enlightening and embarrassing experience.

In this case, it was not Desjardins that realized they had been violated.... the cops called Desjardins to tell them they had been had.  This is an upgrade from the more common scenario when a television crew or journalist calls you and tells you the bad news, so maybe this part is a positive.    However it is more of a negative for one simple reason, if the police are involved, chances are it is a much bigger deal than when a journalist calls you.  

You see, journalists call you when someone blows the whistle.  This someone generally isn't malicious, they just want something to change.  When the police call you..... well... you do the math.

Now Desjardins is falling into the trap that many fall into and they are trying to tell the public not to panic since PIN numbers, credit card numbers, and secret questions have not been exposed.

First of all, they cannot possibly know this with 100% certainty, but lets continue....

So all the information they have on their client, all the information that can expire and be changed... that information is secure.

However, all the information that you will die with such as your birthdate & Social Insurance Number... that was stolen.

But rest assured, we are working with Equifax, a household name in extremely mature and well rounded cybersecurity practices. That last part is sarcasm, so no hate mail please.  I wrote a series of blogs posts on Equifax and their subpar security (example:  HERE)

Equifax will provide 1 year of identity theft protection payed for by Desjardins! 

Wow.... we are still going with that?

The AMF ( says that they are happy with the approach that Desjardins is taking in resolving this matter.

Well, AMF.... and my many friends at the AMF.  In my opinion, you are falling short of your duty.

And once again, privacy commissioner of Canada, you are also at the precipice of failure.

You see, large corporations who end up having LARGE security exposures that can screw the lives of millions should own up to the magnitude of the issue.

This means that they should dedicate staff to operating an identity theft service and provide this service until you die since the information that was stolen cannot be changed and you will remain at risk of identity theft until you are dead.  In fact, some might argue that the risk may continue sometime afterwards ;-)

So why offer only one year of "oversight"... simple ... that is how long it takes for people to forget about the issue.  The general public should be made aware however, that identity theft can happen years down the road.

Also.... all the experts being interviewed so far are missing this one important fact....the information stolen included non matching data types.   What the hell is my purchasing history doing anywhere near my social insurance number and birthdate!  What the hell is going on at Desjardins.... will someone investigate this???  ZZzzzzz

When I go to negotiate a new mortgage, does the financial advisor "see" that I buy a lot of flowers ?

Can they then conclude that I apologize a lot to my wife hence the flowers !

Can they conclude that ANYONE who has to apologize three times a month by giving flowers MUST be a higher credit risk...

you get the picture....

As usual, these breaches end up opening the floor to more questions.. many many more questions.

So in closing, to the many enterprises that I have crossed and to all the enterprises that I will cross who have the attitude that their IT is the best, that they have no security exposures, that they are golden in this area... I leave you this thought to ponder:  Desjardins is at the top of the ladder and invests millions in a variety of security controls including non heterogeneous security teams... and they just got screwed over by an employee.  Sure you're 100% safe because your vaste experience in another unrelated domain tells you to feel that way.

Just like an anti-vaxer who reads a few facebook posts and will argue with a triple doctorat with 30 years of research under their belt.

Go in peace my friends and be realistic about your shortcomings and expectations. 

As for Desjardins, they remain a top bank, with top notch people and services.  Be cautious before throwing the first stone since any bank can be victim to this type of attack.  Just try and not keep all your data in a single bucket ;-)


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...