A data breach at Desjardins, a Canadian financial services cooperative, was caused by a series of gaps in administrative and technological safeguards, according to an investigation by the Office of the Privacy Commissioner of Canada (OPC).
The OPC published its investigative report of findings into the incident, which compromised the data of nearly 9.7 million Canadians.
The OPC and the Commission d’accès à l’information du Québec coordinated their respective investigations. The Autorité des marchés financiers du Québec is also publishing the results of its own investigation.
“Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care,” says Daniel Therrien, privacy commissioner of Canada.
“The organisation’s customers and members, and all citizens, were justifiably shocked by the scale of this data breach. That being said, we are satisfied with the mitigation measures offered to those affected and the commitments made by Desjardins.”
Desjardins had recognised some of the security weaknesses that ultimately led to the breach and had developed a plan to remedy them. Nonetheless, it failed to rectify the issues in time to prevent what happened.
Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organisation had been notified by the police.
According to the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information must be protected by security safeguards appropriate to the sensitivity of the information.
This represents a significant, but nonetheless crucial, task for a financial institution with complex systems and that maintains a large number of business relationships.
The investigation into the breach at Desjardins sheds light on the risks of internal threats, whether they are intentional or not. The OPC stresses the importance of vigilance and a holistic approach to addressing and mitigating the impact of such threats.
For at least 26 months, a malicious employee was exfiltrating sensitive personal information collected by Desjardins from customers who had purchased or received products offered directly or indirectly by the organisation.
This information was originally stored in two data warehouses to which the malicious employee had limited access. However, other employees, in the course of fulfilling their duties, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so. While these practices violated the financial institution’s policies, the technological measures in place to prevent these situations were lacking at the time of the breach.
At the end of the investigation, Desjardins agreed to a series of recommendations to improve its program for information security and the protection of personal information, including its data destruction practices.
It committed to provide progress reports to the OPC every six months. The financial institution also agreed to engage external auditors to assess and certify its programs and to submit an assessment report to the OPC.
The OPC’s investigation revealed that Desjardins had failed to meet several of its obligations under PIPEDA. Desjardins failed to ensure the proper implementation of its policies and procedures for managing personal information, some of which were inadequate to begin with.
The regulator points out that from a technological standpoint, the access controls and data segregation of the databases and directories were inadequate.
It also notes that employee training and awareness were lacking considering the sensitive nature of the personal information the organisation was entrusted with.
Overall, the regulators find that Desjardins had not implemented retention periods or procedures regarding the destruction of personal information.