On December 14, 2020, the Privacy Commissioner of Canada, Daniel Therrien, issued a statement regarding the recent data breach at Desjardins. The statement involved the investigation conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the largest ever data breach in Canada’s financial services sector. Plainly put, the investigation revealed that Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care. In fact, the Privacy Commissioner stated, “What happened to Desjardins could have happened to other companies. As we know, these types of breaches happen all too often. This breach should serve as a lesson to other organizations.”
As can be seen by the PIPEDA Report of Findings #2020-005, on May 27, 2019, Desjardins notified the Office of the Privacy Commissioner of Canada (OPC) of a breach of security safeguards, which affected approximately 9.7 million individuals in Canada and abroad. The personal information involved included: first and last names; dates of birth; social insurance numbers; residential addresses; telephone numbers; email addresses; and transaction histories.
Desjardins also informed Quebec’s Commission de l’accès à l’information (Commission) and other regulators since there were individuals within their jurisdictions that were affected. Consequently, both the OPC and the Commission launched investigations. How does this work in terms of jurisdiction? Desjardins operates mainly in Quebec, but it also conducts activities in other Canadian provinces and abroad. Therefore, Desjardins is subject to both An Act Respecting the Protection of Personal Information in the Private Sector in Quebec and PIPEDA. More specifically, PIPEDA applies in respect of Desjardins’ activities in provinces without legislation considered to be substantially similar to PIPEDA. PIPEDA also applies where there is an interprovincial or international flow of personal information in the course of Desjardins’ commercial activities. Some of the personal information compromised by the breach was collected by Desjardins in the course of its activities outside Quebec but was stored in that province.
How did this happen?
One of Desjardins’ employees committed the breach—this “malicious employee” exfiltrated personal information over a period of at least 26 months.
It was discovered that the compromised personal information was originally stored in two data warehouses, namely the credit data warehouse and the banking data warehouse. Although the credit data warehouse was not divided into confidential and non-confidential portions (employees with the necessary authorizations could access all of the data, including personal information), access to the banking data warehouse was segmented according to whether the information was confidential (with personal information) or non-confidential.
In a nutshell, employees from the marketing department copied the personal information from both data warehouses to the marketing department’s shared directory accessible to all employees of the department. These employees had the necessary authorizations to access the data warehouses, including confidential information.
But the malicious employee did not have access rights to the confidential personal information held in the banking data warehouse—he only had access to non-confidential information in this warehouse.
As a result of this transfer to the shared directory, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were now able to access it freely. The employees should have copied the protected information into the confidential folder of the marketing department’s shared directory. Ultimately, the malicious employee copied this personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer in folders and then onto USB keys using file sharing software.
The malicious employee was also suspected of having sold some of the personal information to a private lender.
1. Desjardins’ security safeguards and its responsibility to implement procedures to protect personal information and train employees
The OPC examined some measures that can be taken to combat insider threats, and concluded that there were failures to implement appropriate security safeguards given the volume and sensitivity of the personal information held by Desjardins. Moreover, there were weaknesses regarding implementing procedures and training staff. Thus, there were contraventions relating to the PIPEDA Principle 4.7 (Safeguards) and Principle 4.1 (Accountability):
- Security screening and confidentiality agreements: The OPC found that Desjardins’ security screenings were acceptable and consistent with currently recognized standards and practices. However, it was important to note that they were insufficient on their own to combat insider threats.
- Organizational policies and procedures: The OPC noted that policies and procedures were “pillars of privacy protection” and constituted vital organizational measures for protecting personal information throughout the life cycle. To that end, having and implementing adequate policies and procedures in itself constituted a safeguard. The OPC found that certain relevant policies and procedures were incomplete or had not been implemented.
- Employee training and awareness: The OPC found that there were critical gaps in employee training and awareness at the time of the breach. Although there were training and awareness programs for employees covering information security and protection of personal information, there were no indicators demonstrating that employees understood the content. The OPC questioned whether the training provided to employees made employees sufficiently aware of the importance of maintaining the confidentiality of personal information, and of the serious consequences of making personal information accessible to unauthorized third parties.
- Access controls and data segregation: The OPC found that Desjardins did not effectively manage access rights and data segregation, which were important security measures. Though there were rules about limiting access to employees with the appropriate authority, Desjardins’ information system allowed authorized users to move restricted data to unprotected directories and storage media without any controls. Desjardins could have reduced the exposure of the information by substituting it with non-confidential (masked) information. What is more, the personal information of some clients who were not Desjardins members was put in the banking data warehouse in error, and this constituted a failure to comply with Desjardins’ own standards governing the segregation of data.
- Oversight and monitoring: The OPC noted that data loss prevention (DLP) solutions were able to detect and prevent the potential exfiltration of sensitive data, and could be used to combat both external and insider threats by preventing the transferring of sensitive data. Also, a user and entity behaviour analytics (UEBA) was a solution that modelled user and device behaviours on organizational networks. And although there were several technological approaches that could have been used to ensure active monitoring of electronic information systems, none were used in this case—only passive measures were used such as analyzing event logs after incidents were reported. The OPC stated, “An organization like Desjardins, which handles a large volume of transactions involving sensitive personal information, must have an active monitoring system.”
2. Retention of personal information held by Desjardins
With respect to the personal information retention practices, Desjardins did not handle personal information in accordance with the retention and destruction requirements, contrary to PIPEDA Principle 4.5 (Limiting Use, Disclosure and Retention):
- the malicious employee inappropriately accessed 3.9 million inactive files—some had been inactive for decades.
- although Desjardins had a directive and policy that set out the guiding principles governing the retention of personal information, it did not have any procedures in place for destroying personal information at the end of its lifecycle.
- seven months after the incident, Desjardins still could not determine the retention period for the compromised inactive accounts.
- the OPC stressed, “retaining personal information longer than necessary risks causing harm to the individuals concerned.”
3. The mitigation measures offered by Desjardins to the affected individuals
The OPC concluded that Desjardins satisfied its obligations under PIPEDA Principle 4.7 (Safeguards), and noted that the measures taken by Desjardins significantly surpassed those taken by other organizations following a major data breach, since it took several steps:
- created a security office
- created an information security and privacy protection improvement program
- made improvements to the security screening
- improved certain policies and procedures
- improved the security training and awareness program for all employees and managers
- improved access controls and data segregation
- improved oversight and monitoring
- improved the retention of personal information
What can organizations take from this?
In addition to the efforts made by Desjardins following the breach, the OPC made further recommendations that emphasized the importance of having a culture of accountability, providing the necessary technological resources and training, and continuing to remedy the weaknesses. The OPC also stressed the need to use vigilance and a holistic approach when deploying measures to address and mitigate the impact of insider threats.
Moreover, the OPC recommended that Desjardins: provide a progress report every six months on actions taken to safeguard information; finalize and submit a retention schedule and destruction process; delete or anonymize any personal information for which the retention period has expired; demonstrate that requests for access and transfer of personal information are monitored when they involve volumes below the minimum threshold of the new analysis environment; demonstrate that Desjardins implemented measures to protect personal information throughout its life cycle; and retain the services of an accredited and experienced external auditing firm to assess and certify its information security and privacy program and submit a report.
Subsequently, Desjardins accepted and put in place many of the recommendations. Some will be implemented over time with set dates of completion. As a result, the complaints were considered to be well-founded and conditionally resolved, with progress being monitored.
As can be seen from the above discussion, it is critical for organizations to take the time to examine the PIPEDA Principles mentioned above, namely Safeguards (4.7), Accountability (4.1), and Limiting Use, Disclosure and Retention (4.5). Organizations are recommended to review their policies and procedures to ensure that they have addressed the above points so they can benefit from the lessons learned. Not only is it important to create the policies and procedures, but it is also necessary to regularly review them given the rapid pace of technology. And in order to address the issue of insider threats, it is important to ensure that all members of the management team work together to create a culture of accountability.