A rogue employee tore a 2.9 million-record-sized hole into his employer’s IT infrastructure according to an advisory posted by Canada’s Desjardins Group, the largest federation of credit unions in North America. The breach, carried out by the since-fired employee, involved the exfiltration of 2.7 million individual's records and 173,000 business’s records – about 41% of Desjardins clientele. The leaked information included names, birth dates, social insurance numbers, addresses, telephone numbers and email addresses, as well as information on banking habits – all of which was illegally transferred to a third party.
Desjardins reported that there was no breach, that it did not come under a cyber attack, and that their systems are fine. They described the incident as “an ill-intentioned employee who acted illegally and betrayed the trust of their employer”. Desjardins' framing of this incident conflicts with the Canadian Office of the Privacy Commissioner, who defines a cyber breach as "the loss of, unauthorized access to, or disclosure of, personal information, including when personal information is stolen, lost or mistakenly shared”.
With DataStealth, you are able to transparently apply Attribute Based Access Control (ABAC) to existing applications and data flows, with no development or software/plugin/agent installation required, providing the ability to dynamically execute access decisions in real time. Where traditional access control systems result in a ‘permit' or ‘deny’ decision outcome, DataStealth gives the flexibility to choose additional outcomes such as de-identification, masking, or tokenization of data elements.
DataStealth also captures metadata at the time data is collected (IP, Geo-location, user, application, source, destination, time of day, day of week and more), and can apply heuristics to determine the normal rate of consumption, and then apply rate limiting against user behaviour to ensure no unusual consumption is occurring.
In the case of Desjardins, had DataStealth been deployed, with ABAC turned on (including heuristics and rate limiting), the "ill-intentioned employee who acted illegally and betrayed the trust of their employer” would not have been able to breach Desjardins layers of security and steal 2.9 million Desjardins client records.
Read more about this great solution by our partner Datex using this link.