Personal details relating to about 2.9 million members of Canada’s Desjardins Group, North America’s biggest federal credit union, have been exposed after they were stolen by an employee.

The data theft included names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses and details about banking habits. Data relating to 173,000 business members of the credit union were also stolen and included business names, addresses, telephone numbers and owner names.

Desjardins noted that passwords, security questions and personal identification numbers were not compromised.

The motivation of the employee or whether the data stolen was shared with others is not clear. What is known is that he not only used his own employee credentials to gain access to the data but also tricked others at the credit union into providing theirs, overcoming built-in safeguards that the company designed to prevent any single employee having access to all data. The now former employee has been arrested and members are looking at class-action lawsuits, the Toronto Star wrote Friday.

The Desjardins data breach is a timely reminder that not every breach is caused by an outside attacker. Tim Erlin, vice president of product management and strategy at Tripwire Inc., told SiliconANGLE that insiders account for roughly a third of reported breaches and that organizations need to protect against misuse by authorized individuals in addition to malicious external attackers.

“When someone with valid credentials is the source of an attack, it’s often the changes they make that provide evidence of the attack,” Erlin said. “Monitoring for unauthorized and suspicious changes is a key tool for detecting these kinds of attacks.”

Shay Nahari, director of red team services at CyberArk Software Ltd., took a similar line, noting that the breach clearly demonstrates why the insider threat continues to be one of the most critical threat vectors facing organizations. Insider attacks from rogue employees, contractors and former employees who still have privileged access to critical systems are often the most costly and damaging.

“Desjardins indicates that new measures are being put into place to prevent future incidents,” Nahari said. “This should include a strong plan on implementing privilege access security to proactively limit user privileges and control access to reduce the risk of an insider attack. This ensures that that all users have the least amount of access to sensitive information as is necessary to do their jobs, and that maliciously activity can be rapidly detected and stopped.”

Photo: Ken Lund/Wikimedia Commons