ITBusiness.ca

Laying blame on employee in Desjardins data breach is ignoring the big picture, security experts say

The Desjardins Group, North America's largest credit union federation, experienced a data breach exposing private data of 2.7 people. Credit: CP/Lee Brown

Despite many blaming the employee who allegedly leaked almost 3 million individuals’ information in the recent data breach at The Desjardins Group, some experts warn that this is over-simplifying the problem and not laying enough blame on the company itself.

Mark Sangster, vice-president and industry security strategist at eSentire Inc., spoke with IT World Canada and said that a breach of this sort is a culmination of many factors, not just one; comparing it to the Boeing 737 scandal.

“All too often what happens in these events is that one single source is kind of at is considered at fault. That lets the company and everybody off the hook. The best analogy I have is the 737,” said Sangster. “It wasn’t simply a pilot error or it wasn’t simply a mechanical failure or design impact. It’s the same thing in security. You have an employee that conducted allegedly illegal activities. So what policies were in place to denote those as illegal or unauthorized? What training was in place? What background checks were committed? What other checks and balances from a security perspective were implemented that would prevent this from occurring?”

Was this reported in a timely fashion?

What worries Sangster the most, he said, is if this was correctly reported in a timely fashion, what’s being done to improve on that time? This is something he said he hopes the privacy commission focuses on as the investigation moves forward.

Mark Sangster, VP and industry security strategist at eSentire, says that more blame should be given to Desjardins. Credit: Twitter

“Once the company determined that a significant breach has occurred, they then have to make notification. They have to contact the privacy office. And then as a subsequent follow on, they have to contact any affected individuals. What’s critical in that is ensuring that the company does this because the faster that you find out, you can now take whatever actions are required,” explained Sangster. “As a simple example, if you were truly concerned about the impact on your finances, you can be doing things like looking at bank records, suspending your account… But when you don’t know about it, that’s the real problem. This is what I would encourage the privacy commission in this case to focus on.”

Desjardins announced Thursday that the private information of around 2.7 million of its clients – almost a tenth of Canada’s population – was leaked by an employee. This data included names, addresses, birth dates, social insurance numbers, email addresses, and information about transaction habits. In addition, 173,000 businesses were affected.

Desjardins is the largest federation of credit unions in North America.

The employee has been fired and police from the city of Laval are investigating.

According to a report from CBC, the employee gained access to much of this data by gaining the trust of their co-workers and leveraging that to gain access to their permissions.

Internal attacks

This type of breach is much more common than one might think, according to Tim Erlin, vice-president of product management and strategy at Portland-based cybersecurity firm Tripwire. Roughly a third of reported breaches are caused by an insider.

“Not every breach is caused by a malicious nation-state. Insiders account for roughly a third of reported breaches,” said Erlin in an email to IT World Canada. “Organizations need to protect against misuse by authorized individuals in addition to malicious external attackers.”

Despite the surprise nature of an inside breach, Erlin does point out that this would not come without its own warning signs.

“When someone with valid credentials is the source of an attack, it’s often the changes they make that provide evidence of the attack. Monitoring for unauthorized and suspicious changes is a key tool for detecting these kinds of attacks.”

Even with the ability to detect such attacks, Sangster warns that it’s not as simple as simply keeping an eye out for suspicious behavior, as there can be an overwhelming amount of alerts on any given day; many of which may be of no consequence.

What can be done to prevent this?

One solution to this problem is the use of AI and machine learning to weed through the alerts and pinpoint those that require action; something that Cisco recently announced it will be adding as a capability to its network solutions.

Sangster said this is a field that is trending in the security industry but indicated that it’s not the “holy grail” solution some might think it is.

“That is a trend in the industry to use machine learning… to go through those massive volumes of data and detect those aberrant kinds of behaviors. Then from that, check out only the ones that really look like they’re most suspicious,” said Sangster. “It’s only going to solve so much of it. It depends how it’s implemented. Where machine learning does a great job is you can analyze not only the data but analyze the actions that an analyst takes. And over time you can kind of iterate and hone that right.”

Additionally, Sangster pointed to other solutions, like data loss prevention (DLP) products, that could have halted this employee from doing what they were alleged to have done.

He explained that products like this will allow you to not only classify any assets you have and minimize and control who has access to them, but it will also prevent actions like uploading data to a cloud drive or sending data to an unauthorized email domain.

Outside of these technical solutions, when it comes to an attack fueled by human manipulation via gaining access to co-workers permissions, as this breach is being reported as, there is still a human element that needs to be taken into account when looking to prevent similar catastrophes. It can be as simple as implementing better security training so that employees will not allow themselves to be tricked into giving away any permissions or access codes.

“That whole social engineering is exceptionally common. While the types of security incidents and attacks that we see have increased in their sophistication, that doesn’t mean that the technologies become more elegant. They’re not using some super Jason Bourne or James Bond technology here. They’re just using their wit. And they’re being smart about how they do it. And unfortunately, humans, we are the weakest link in all of this.”

Exit mobile version