The Canadian financial institution Desjardins was the victim of an insider threat resulting in the data of 2.9 million customers being exposed, including crucial personal and business information.
The Montreal-based credit union was told by the Laval Police Department the information of 2.7 million individual customers, along with 173,000 business clients had been leaked. An investigation found the breach to be the work of an employee, the company said in a statement.
“This incident was not a cyberattack. Desjardins computer systems were in no way breached during this incident, which was the result of illegal acts committed by the above-mentioned former employee,” the company said.
The employee in question has been fired and arrested by the Laval police, CBC news reported.
The consumer data leaked included first and last name, date of birth, social insurance number, address, phone number, email address and details about their banking habits and Desjardins products. Passwords, security questions, and PINs were not compromised.
Business customers had their names, addresses, telephone numbers, and the names of owners and AccèsD Affaires account users. Some information about owners or AccèsD Affaires users may have also been affected. If that is the case, these people will receive a letter informing them of the situation, the company said.
The company has not said what position the insider threat held, the reason behind the release or exactly where the information was found by the police.
The company did first become aware that something was amiss in December 2018 when it spotted a suspicious transaction and then the full extent of the damage was deciphered over the intervening months. The employee was identified and suspended at which point the data leak ended, CBC reported.
Ilia Kolochenko, ImmuniWeb's founder and CEO, said one issue is enabling a single person to have too much access.
"When just one employee, reportedly acting without acolytes, has an uncontrollable access to such a huge amount of confidential data and even manages to take it away, there is reason to believe that some of the internal security controls are broken. Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences," Kolochenko said.