Summer Breach Season Claims Canadian Credit Union
The credit union reports “an ill-intentioned employee” swiped data of 2.9 million members.
The $295.5 billion Lévis, Quebec-based Desjardins, Canada’s largest credit union with 7 million members and 46,216 staffers, and one of the world’s largest financial institutions, disclosed an employee-caused breach.
In a statement posted on its website, the financial institution said “an ill-intentioned employee” swiped data of 2.9 million members (2.7 million home users; 173,000 businesses and associated contacts). “In light of these events, additional security measures have been put in place to ensure all our members’ personal and financial data remains protected.”
According to a CBC report Desjardins referred a suspicious transaction to Laval police in December 2018. In May, police informed Desjardins of the leaking of personal information. Desjardins said, no compromise of passwords, security questions and personal identification took place.
Dan Tuchler, chief marketing officer for SecurityFirst, had a quick reaction: “The bank is saying that credit card numbers, security questions, and so on were not taken. Is this supposed to make it OK/?” Tuchler added those with exposed personal information are going to be concerned. “Enterprises, especially banks, need to take both technical steps and human process steps to prevent this type of breach.”
In other cybersecurity news, according to ZDNet, a hacker named Gnosticplayers, put another notch in its hacking belt with online and mobile food ordering service EatStreet, which serves over 250 cities, and more than 15,000 restaurants, disclosed a security breach last month.
EatStreet, said the hacker breached its computer network from May 3 until May 17, when the company said it detected the intrusion and promptly terminated the hacker’s access.
The hacker also accessed information on restaurants participating in its service, and third-party delivery services. Accessed information included names, phone numbers, email addresses, bank accounts, and routing numbers for restaurants and delivery services. For customers data might contain credit card numbers, expiration dates, card verification codes, billing addresses, email addresses, and phone numbers.
ZDNet reported in April Gnosticplayers wanted to sell the data of over one billion users and was getting dangerously close to its goal by reaching more than 900 million records released. The hacker previous hacking victims included Australian-based graphic-design tool website Canva, Toronto, Canada-based online photography community 500px; and American apparel company UnderArmor.
“Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud,” Lisa Baergen, vice president of marketing at NuData Security, a Mastercard company, said. “More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of credit card data is a worry for all organizations, not just the targeted company. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime.”
In another incident, the Oregon Department of Human Services updated a previously reported breach resulting from phishing, almost doubling the previous estimate to 645,000. The breached information potentially included full names, addresses, birthdates, Social Security and case numbers, and protected health information personal.
The department said nine employees opened the phishing email on January 8, 2019 and reported problems almost immediately.
Willy Leichter, vice president Virsec asserted, “The scale of this breach is startling considering it was perpetrated through just nine successful phishing emails. Many organizations still rely on ‘common sense’ of users not to click on phishing attempts, but that is completely inadequate.” Lechter maintained organizations must move to defenses that assume users will make mistakes but still protect critical applications and data.
“Three things stand out in this phishing case,” Colin Bastable, CEO of Austin, Texas-based Lucy Security, said. “First, the 19-day delay between detecting the phishing attack and shutting down the email accounts. Second, the same local-to-Oregon company hired to undertake the data analysis for $485,000 is providing the credit monitoring service to 645,000 Oregonians, for just over $1 million. Third, they were using email as a data storage solution. Why on earth are they sending and saving confidential documents as unsecured attachments via email?”
Pravin Kothari, founder & CEO of San Jose, Calif.-based CipherCloud also commented, “It’s not surprising that phishing and account takeover, which are known as top threats to any organization, were exploited in this breach.” Additionally, Kothari said, “what’s surprising is that the email attachments with sensitive Personally identifiable information and Protected Health Information did not have any protection.”
Kothari warned, “With the growing number of regulations on data privacy of individuals, such as EU GDPR, HIPAA and upcoming California Consumer Privacy Act, exposing such PII and PHI data opens the organization to breaches, reputational damage, as well as stiff penalties.”
Rod Simmons, vice president at Hawthorne, N.J.-based STEALTHbits Technologies, suggested, “Breaches of over a half million records are becoming a common occurrence that almost can go unnoticed. We all want this loss of data to stop; the challenge we face is perfection. The hackers only need to be right once, we must be perfect every time, and that is an unrealistic goal.”