[BreachExchange] Desjardins had 'series of gaps' in system, leading to massive data breach

[Destry Winant]

https://www.yahoo.com/entertainment/desjardins-had-series-of-gaps-in-system-leading-to-massive-data-breach-144930455.html

Desjardins had a “series of gaps” in its systems that failed to meet
the requirements under Canada’s privacy act to protect 9.7 million
Canadians after a data breach, Canada’s privacy watchdog says
following an investigation.

The investigation’s results, released today, said the financial
services cooperative did not have proper policies and procedures for
managing personal information; access controls and data separation was
inadequate; employee training and awareness were lacking; and the bank
did not put a retention period or procedure with respect to the
destruction of personal information.

“Desjardins did not demonstrate the appropriate level of attention
required to protect the sensitive personal information entrusted to
its care,” Daniel Therrien, Canada’s privacy commissioner, said in a
release.

“The organization’s customers and members, and all citizens, were
justifiably shocked by the scale of this data breach. That being said,
we are satisfied with the migration measures offered to those affected
and the commitments made by Desjardins.”

The data breach took place last summer, when an employee leaked names,
addresses, social insurance numbers, birth dates, email addresses, and
information about users’ transaction habits. At the time, Desjardins
confirmed that it had not been a target of a cyberattack and that the
employee had been fired.

Desjardins did recognize some of its security weaknesses, the release
said, but “failed to rectify the issues in time to prevent what
happened.”

“Moreover, the breach occurred over more than a two-year period before
Desjardins became aware of it, and then only after the organization
had been notified by the police,” the release said.