According to the Insider Threat Report 2018, 90% of companies feel vulnerable to insider attacks. The same report reveals that 53% of companies suffered an insider attack in the last 12 months. When we talk about insiders, there are two different types of threats: malicious insiders, who attack the company on purpose, intentionally causing damage. On the other hand, accidental insiders cause problems for the company by acting negligently.
The Ponemon Institute Cost of a Data Breach Study explains that, along with hackers, malicious insiders are the leading cause of data breaches, and that the incidents caused by insiders tend to have higher costs than other breaches.
Desjardins Group, victim of an insider
Towards the end of June this year, Desjardins Group, a Canadian bank and the largest federation of credit unions in North America, announced a data breach in the company. The breach affected around 2.7 million people and as many as 173,000 companies.
According to Desjardins, the person behind the breach was an employee who improperly gathered information about the bank’s customers, and shared it with a third party outside the financial institution. The employee was fired and arrested, but has yet to be charged.
Guy Cormier, CEO of Desjardins Group, explained that this wasn’t an ordinary case of a company with no controls to prevent access to sensitive data. He said that no individual in the bank has authority to access information on all its members. This means that the malicious insider used his own privileged access along with other employees’ privileged access to gather all the information that he stole.
The stolen information included names, addresses, dates of birth, social insurance numbers, email addresses and information on customers’ transaction habits. Customers’ passwords and PINs were not affected.
Detecting the breach
The first indicator that something wasn’t right came in December 2018. Desjardins notified the police of several suspicious transactions, but it took several months to discover the full extent of the problem. During this time, the company worked with the police to investigate the problem. In May, the police informed the company that the personal information of 2.7 million people had been illegally shared.
Although this might seem like a long time to detect a breach, the Ponemon Institute report calculates that the average time to detect a data breach is 197 days.
What is Desjardins doing to protect its customers?
Desjardins has imposed extra security measures, such as additional steps when confirming members’ identity. The company is also contacting all of those affected by the breach, and has offered the victims identity theft insurance, as well as a credit monitoring plan.
Ponemon Institute defines these services are considered to be direct costs of a data breach; according to the study, Canada has the highest direct costs for a data breach – $81 per compromised record.
How to protect your company
The costs of a data breach are extremely high – $3.86 million on average last year – and the study was carried out before the GDPR came into effect. This year, this regulation is very likely to cause an increase in the cost of a data breach.
To avoid these costs, it is vital to protect the personal data that your company handles. Proper protection includes the ability to know who is accessing this data, who is handling it, and what actions are being carried out on it. This way, you’ll be able to stop anyone – be it an external hacker or a malicious insider – from stealing personal data.
Panda Data Control offers these measures. What’s more, it also provides constant monitoring of the unstructured personal data on your company’s network, so that you know exactly where it is at all times.
This case is a dramatic example of the impact that insiders can have. Unfortunately, insiders – both malicious and accidental – can cause all sorts of damage. This is why constant monitoring of the whole IT system is an essential step in your company’s security
The post A bank, an insider, and 2.7 million people’s data stolen appeared first on Panda Security Mediacenter.