
Personal data of 2.9M people leaked from Desjardins - fmihaila
https://www.cbc.ca/news/canada/montreal/desjardins-data-breach-1.5183297
======
_asummers
> The information includes names, addresses, birth dates, social insurance
> numbers, email addresses and information about transaction habits.

Oooof.

> However, Desjardins said, passwords, security questions and personal
> identification numbers have not been compromised.

Well that's a relief! Glad the things that are easy to change are safe.

~~~
Raphmedia
It's very bad from a privacy standpoint but at least nobody will be able to
log-in to my account and send all my money offshore.

~~~
_asummers
Instead they can steal your identity and open accounts in your name. Banks can
automate the changing of passwords and PINs by requiring the former
information to change the latter. But once it's out there, it's gone forever.

~~~
kgwgk
I know identity theft is not a joke, but (I'm too lazy to check how does it
work in Canada, this is for the US):

• Under most state laws, you're not responsible for any debt incurred on
fraudulent new accounts opened in your name without your permission.

[https://www.consumer.ftc.gov/articles/pdf-0009_identitytheft...](https://www.consumer.ftc.gov/articles/pdf-0009_identitytheft_a_recovery_plan.pdf)

~~~
_asummers
That still requires work on the behalf of the person whose identity was
stolen. Affidavits signed, letters mailed, etc. Also vigilant monitoring of
your credit details afterwards.

Even if you are not monetarily charged, it's still a giant pain to recover
from.

~~~
kgwgk
How easy would it be to recover funds from an account that has been
compromised and emptied? Honest question, I have no idea.

Anyway, I don’t know how many fraudulent accounts are opened in Quebec each
year using stolen identities but if the fraudster has three millions of
identities to choose from (one third of the population) you may have bigger
risks to worry about.

~~~
_asummers
Unsure about how it would work on a very large sum, or in Canada, but I had a
wallet stolen several years ago and had to sign an affidavit describing what
happened. Someone had gone to Best Buy and spent like $400, and the bank
returned it after a few weeks.

------
nbrempel
> The federation's CEO and president, Guy Cormier, said the security breach is
> not the result of a cyberattack, but the work of an employee who improperly
> accessed and shared the information.

> That employee has been fired.

> Cormier said he felt "betrayed" by the former employee's actions.

Fired? How about arrested?

~~~
Scoundreller
Letsee, 5 minutes of wasted time per impacted client (and that’s just to
interpret and ignore the notice) * 2.9 million people = 28 years of life lost
by one action.

Basically a murder in terms of aggregate impact.

~~~
abledon
Lol with that logic most developers who implement an annoying pop up banner
subscription/greeting chain combo on a high traffic site are committing an
action equal to murder

~~~
Scoundreller
The maintainers of uBlock Origin have a lot of "Get out of Jail" credits to
exchange if they ever need to.

------
luckylion
If it was possible for an employee to "access and share" 2.9m datasets, it's
the company's fault. No matter who the employee is, if you don't have
safeguards in place as a credit union, you aren't doing your job. Like, at
all.

~~~
kgwgk
How should you do your job so _no_ employee has access to that information?
I’m sure they could have been more careful, but the risk cannot be completely
eliminated without going to impractical extremes...

~~~
luckylion
shakna already gave some good points, but a major one is the _shared_ part.

Even if it's an admin that moves around a backup file from server a to server
b, you don't allow anyone to bring in and connect USB drives. You don't allow
personal laptops to access files (on that level - accessing a frontend is
fine, see access limits) that leave the premises. That's not impractical, it's
not extreme, it's just what you do when you handle very important data of
millions of users.

Making sure nobody can access data wholesale is step one. You will fail at
some point for some reason. Making sure no one can exfil large amounts of data
is step two. If he wants to go James Bond on you and use a small camera to
photograph his screen, good. Data leaks suck, but this way, it will affect a
hundred people, not 2.9m.

~~~
kgwgk
Sure, but you need processes to get all the names and adresses every time you
send statements by mail, for example. Someone somewhere needs to be able to
access the data. Not “everyone”, but not “nobody” either. How do disable
access from database admins? Do you keep all the listings in microfilms in a
safe in a guarded room in the basement?

~~~
lightbritefight
No, you do what he explained. Those DBs might have access to the customer DB,
but no USB on those system.That access would also be logged at another
location, listing date/time/user. It might also require a sign off from a
manager/team that reviews record access of more than say 10,000 clients, etc.
DBs would be informed of all these security factors, to desuade individuals
from making bad choices.

Individually, none of the above would stop this kind of breach. Altogether,
and it might be enough. You amply defense in depth

------
simlevesque
fuuuck

> Anyone whose data was affected will receive a 12-month credit monitoring
> plan, paid for by Desjardins. That service includes access to daily credit
> reports, alerts of any changes and identity theft insurance.

> "I want to be really clear," said Cormier. "Our members will be reimbursed
> [for any losses they incur.] There will be no cost to our members."

Not bad.

~~~
purephase
No clear mention of whether those impacted will be notified though.

~~~
jacobroyquebec
Not in the article, but Desjardins has set up a webpage with information on
the leak.[0]

They will send a letter to every clients whose informations were leaked, which
will include the code for a free 12-month Equifax (credit report) monitoring.

[0] [https://www.desjardins.com/renseignements-
personnels/index.j...](https://www.desjardins.com/renseignements-
personnels/index.jsp)

~~~
appleiigs
lol equifax

------
canada_dry
As a retired IT Exec (I worked in Cdn banking for over a decade) this kinda
thing used to keep me up at night!

To mitigate the risk I wanted to implement a blanket USB plug-n-play
restriction but the client-side Execs overruled me. Fortunately a leak never
happened, but really it was just good fortune.

~~~
Terretta
As a current IT exec in banking, a thing that keeps me up at night is the “go
to” strategy of compromising employees’ ability to use productivity tools for
“security”.

If you follow the lock-it-down strategy to the max, you eventually unplug the
computer and keep it in a vault. Since you wouldn’t do that, that means you
recognize that security can’t be at the expense of all utility.

So what is the right amount of utility to sacrifice in order to achieve
security?

I’d argue — try for none. Make infosec the _happy path_.

------
yters
In this world of NSA, data leaks and FAARG, the only way forward is
undocumented births and backwoods medicine to avoid personal information being
at the mercy of the state, corporations and criminal organizations.

------
Thaxll
So the bank itself didn't found out the issue but was told by the police, I'm
really curious about monitoring process at banks...

~~~
dredmorbius
I've been looking into this recently Because Reasons. The story's pretty poor
in most places.

Brian "Krebs on Security" Krebs wrote a bit in March 2018 on the state of bank
online security. Virtually all of it is outsourced to a handful of major
service providers: Fiserv, Jack Henry, FIS, CSI, and Finastra.

[https://krebsonsecurity.com/2018/03/what-is-your-banks-
secur...](https://krebsonsecurity.com/2018/03/what-is-your-banks-security-
banking-on/)

I don't find any indication of what Desjardins' security is based on.

------
Raphmedia
More informations from Desjardins: [https://www.desjardins.com/ca/personal-
information/index.jsp](https://www.desjardins.com/ca/personal-
information/index.jsp)

------
apo
> The information includes names, addresses, birth dates, social insurance
> numbers, email addresses and information about transaction habits.

It's starting to look downright irresponsible to regard such information as
private these days.

As such, it should be considered irresponsible to base any portion of a
verification protocol on that information.

------
thooranpoyi
This isn't surprising, As is with everything with Québec, Desjardins is a
Québec based business. They will still retain their customer base. Their
site's UX was so bad that I didn't use them as my bank. Their English customer
service sucks too. Glad I made that choice. A data breach is still a data
breach even if it was by a rogue employee.

By the looks of it, Quebec's Communauto is next in the line.

