• First Reference
  • About us
  • Contact us
  • Blog Signup 📨
  • 22nd Annual Ontario Employment Law Conference 📢

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Privacy / Lessons learned: largest data breach

By Christina Catenacci, BA, LLB, LLM, Ph.D. | 6 Minutes Read February 2, 2021

Lessons learned: largest data breach

On December 14, 2020, the Privacy Commissioner of Canada, Daniel Therrien, issued a statement regarding the recent data breach at Desjardins. The statement involved the investigation conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the largest ever data breach in Canada’s financial services sector. Plainly put, the investigation revealed that Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.

On December 14, 2020, the Privacy Commissioner of Canada, Daniel Therrien, issued a statement regarding the recent data breach at Desjardins. The statement involved the investigation conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the largest ever data breach in Canada’s financial services sector. Plainly put, the investigation revealed that Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care. In fact, the Privacy Commissioner stated, “What happened to Desjardins could have happened to other companies. As we know, these types of breaches happen all too often. This breach should serve as a lesson to other organizations.”

What happened?

As can be seen by the PIPEDA Report of Findings #2020-005, on May 27, 2019, Desjardins notified the Office of the Privacy Commissioner of Canada (OPC) of a breach of security safeguards, which affected approximately 9.7 million individuals in Canada and abroad. The personal information involved included: first and last names; dates of birth; social insurance numbers; residential addresses; telephone numbers; email addresses; and transaction histories.

Desjardins also informed Quebec’s Commission de l’accès à l’information (Commission) and other regulators since there were individuals within their jurisdictions that were affected. Consequently, both the OPC and the Commission launched investigations. How does this work in terms of jurisdiction? Desjardins operates mainly in Quebec, but it also conducts activities in other Canadian provinces and abroad. Therefore, Desjardins is subject to both An Act Respecting the Protection of Personal Information in the Private Sector in Quebec and PIPEDA. More specifically, PIPEDA applies in respect of Desjardins’ activities in provinces without legislation considered to be substantially similar to PIPEDA. PIPEDA also applies where there is an interprovincial or international flow of personal information in the course of Desjardins’ commercial activities. Some of the personal information compromised by the breach was collected by Desjardins in the course of its activities outside Quebec but was stored in that province.

How did this happen?

One of Desjardins’ employees committed the breach—this “malicious employee” exfiltrated personal information over a period of at least 26 months.

It was discovered that the compromised personal information was originally stored in two data warehouses, namely the credit data warehouse and the banking data warehouse. Although the credit data warehouse was not divided into confidential and non-confidential portions (employees with the necessary authorizations could access all of the data, including personal information), access to the banking data warehouse was segmented according to whether the information was confidential (with personal information) or non-confidential.

In a nutshell, employees from the marketing department copied the personal information from both data warehouses to the marketing department’s shared directory accessible to all employees of the department. These employees had the necessary authorizations to access the data warehouses, including confidential information.

But the malicious employee did not have access rights to the confidential personal information held in the banking data warehouse—he only had access to non-confidential information in this warehouse.

As a result of this transfer to the shared directory, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were now able to access it freely. The employees should have copied the protected information into the confidential folder of the marketing department’s shared directory. Ultimately, the malicious employee copied this personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer in folders and then onto USB keys using file sharing software.

The malicious employee was also suspected of having sold some of the personal information to a private lender.

Main findings

1. Desjardins’ security safeguards and its responsibility to implement procedures to protect personal information and train employees

The OPC examined some measures that can be taken to combat insider threats, and concluded that there were failures to implement appropriate security safeguards given the volume and sensitivity of the personal information held by Desjardins. Moreover, there were weaknesses regarding implementing procedures and training staff. Thus, there were contraventions relating to the PIPEDA Principle 4.7 (Safeguards) and Principle 4.1 (Accountability):

  • Security screening and confidentiality agreements: The OPC found that Desjardins’ security screenings were acceptable and consistent with currently recognized standards and practices. However, it was important to note that they were insufficient on their own to combat insider threats.
  • Organizational policies and procedures: The OPC noted that policies and procedures were “pillars of privacy protection” and constituted vital organizational measures for protecting personal information throughout the life cycle. To that end, having and implementing adequate policies and procedures in itself constituted a safeguard. The OPC found that certain relevant policies and procedures were incomplete or had not been implemented.
  • Employee training and awareness: The OPC found that there were critical gaps in employee training and awareness at the time of the breach. Although there were training and awareness programs for employees covering information security and protection of personal information, there were no indicators demonstrating that employees understood the content. The OPC questioned whether the training provided to employees made employees sufficiently aware of the importance of maintaining the confidentiality of personal information, and of the serious consequences of making personal information accessible to unauthorized third parties.
  • Access controls and data segregation: The OPC found that Desjardins did not effectively manage access rights and data segregation, which were important security measures. Though there were rules about limiting access to employees with the appropriate authority, Desjardins’ information system allowed authorized users to move restricted data to unprotected directories and storage media without any controls. Desjardins could have reduced the exposure of the information by substituting it with non-confidential (masked) information. What is more, the personal information of some clients who were not Desjardins members was put in the banking data warehouse in error, and this constituted a failure to comply with Desjardins’ own standards governing the segregation of data.
  • Oversight and monitoring: The OPC noted that data loss prevention (DLP) solutions were able to detect and prevent the potential exfiltration of sensitive data, and could be used to combat both external and insider threats by preventing the transferring of sensitive data. Also, a user and entity behaviour analytics (UEBA) was a solution that modelled user and device behaviours on organizational networks. And although there were several technological approaches that could have been used to ensure active monitoring of electronic information systems, none were used in this case—only passive measures were used such as analyzing event logs after incidents were reported. The OPC stated, “An organization like Desjardins, which handles a large volume of transactions involving sensitive personal information, must have an active monitoring system.”

2. Retention of personal information held by Desjardins

With respect to the personal information retention practices, Desjardins did not handle personal information in accordance with the retention and destruction requirements, contrary to PIPEDA Principle 4.5 (Limiting Use, Disclosure and Retention):

  • the malicious employee inappropriately accessed 3.9 million inactive files—some had been inactive for decades.
  • although Desjardins had a directive and policy that set out the guiding principles governing the retention of personal information, it did not have any procedures in place for destroying personal information at the end of its lifecycle.
  • seven months after the incident, Desjardins still could not determine the retention period for the compromised inactive accounts.
  • the OPC stressed, “retaining personal information longer than necessary risks causing harm to the individuals concerned.”

3. The mitigation measures offered by Desjardins to the affected individuals

The OPC concluded that Desjardins satisfied its obligations under PIPEDA Principle 4.7 (Safeguards), and noted that the measures taken by Desjardins significantly surpassed those taken by other organizations following a major data breach, since it took several steps:

  • created a security office
  • created an information security and privacy protection improvement program
  • made improvements to the security screening
  • improved certain policies and procedures
  • improved the security training and awareness program for all employees and managers
  • improved access controls and data segregation
  • improved oversight and monitoring
  • improved the retention of personal information

What can organizations take from this?

In addition to the efforts made by Desjardins following the breach, the OPC made further recommendations that emphasized the importance of having a culture of accountability, providing the necessary technological resources and training, and continuing to remedy the weaknesses. The OPC also stressed the need to use vigilance and a holistic approach when deploying measures to address and mitigate the impact of insider threats.

Moreover, the OPC recommended that Desjardins: provide a progress report every six months on actions taken to safeguard information; finalize and submit a retention schedule and destruction process; delete or anonymize any personal information for which the retention period has expired; demonstrate that requests for access and transfer of personal information are monitored when they involve volumes below the minimum threshold of the new analysis environment; demonstrate that Desjardins implemented measures to protect personal information throughout its life cycle; and retain the services of an accredited and experienced external auditing firm to assess and certify its information security and privacy program and submit a report.

Subsequently, Desjardins accepted and put in place many of the recommendations. Some will be implemented over time with set dates of completion. As a result, the complaints were considered to be well-founded and conditionally resolved, with progress being monitored.

As can be seen from the above discussion, it is critical for organizations to take the time to examine the PIPEDA Principles mentioned above, namely Safeguards (4.7), Accountability (4.1), and Limiting Use, Disclosure and Retention (4.5). Organizations are recommended to review their policies and procedures to ensure that they have addressed the above points so they can benefit from the lessons learned. Not only is it important to create the policies and procedures, but it is also necessary to regularly review them given the rapid pace of technology. And in order to address the issue of insider threats, it is important to ensure that all members of the management team work together to create a culture of accountability.

  • About
  • Latest Posts
Follow me

Christina Catenacci, BA, LLB, LLM, Ph.D.

Christina Catenacci, BA, LLB, LLM, PhD, was called to the Ontario Bar in 2002 and has since been a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. Christina obtained her Professional LLM Specializing in Labour Relations and Employment Law from Osgoode Hall Law School of York University in 2013, and recently earned her PhD in Law at the University of Western Ontario on October 23, 2020 in the area of privacy in the workplace.
Follow me

Latest posts by Christina Catenacci, BA, LLB, LLM, Ph.D. (see all)

  • Working from home report: productivity - April 6, 2021
  • Joint investigation of Clearview AI - March 3, 2021
  • Lessons learned: largest data breach - February 2, 2021

Article by Christina Catenacci, BA, LLB, LLM, Ph.D. / Business, Employee Relations, Finance and Accounting, Information Technology, Privacy / Credit data, Data breach, Desjardins, employment law, Internal Controls, personal information, PIPEDA, PIPEDA principles, privacy Leave a Comment

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Christina Catenacci, BA, LLB, LLM, Ph.D.

Christina Catenacci, BA, LLB, LLM, PhD, was called to the Ontario Bar in 2002 and has since been a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. Christina obtained her Professional LLM Specializing in Labour Relations and Employment Law from Osgoode Hall Law School of York University in 2013, and recently earned her PhD in Law at the University of Western Ontario on October 23, 2020 in the area of privacy in the workplace.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2021 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy