Insider threat: When a company data breach comes from within
There’s one kind of cybersecurity breach that's almost impossible to defend against, and that’s when the weak link is operating within the organization.
Most breaches we hear about in the news pertain to external threats. International criminals hack into servers, hold data hostage, or release sensitive information to the public. These outside forces use tactics such as phishing to penetrate the organization with intent to do harm.
But just as damaging: someone who — for whatever reason — decides to bring down a company from the inside.
DATA DANGER AT DESJARDINS
On Thursday Desjardins Group in Quebec announced that a former employee publicly shared the personal info of 2.9 million members, including names, phone numbers, dates of birth, email addresses, social insurance numbers, banking habits — in short, everything and more that a criminal would need to commit identity theft.
This breach is huge, affecting 40 per cent of Desjardins’ members. Desjardins is offering to pay for credit monitoring as well as a year’s worth of identity theft insurance for those affected, but it’s hard to know whether this will be enough to ensure no fraudsters take advantage of the situation.
MANIPULATION BASED ON TRUST
This kind of action is a bit like going undercover, except instead of doing so to investigate illegal activity as the police do, the goal is to commit crimes by building relationships and earning the trust of peers. The accused ex-employee, whose name has not been released, was a valued Desjardins employee who had access to the kinds of information needed to do major damage. According to Desjardins, the employee also convinced other employees to gain access to records he didn’t have the right to access using a technique known as social engineering.
To “social engineer” is to manipulate people psychologically into performing actions or divulging private information. The former employee used social engineering for malevolent ends, ultimately betraying their employer in the worst way possible. This is so hard to prevent because human nature is to suspect strangers rather than friends or colleagues of wrongdoing.
To avoid falling victim, companies should reinforce the importance of data privacy and ramp up cybersecurity training including talking about all the various ways that people use social engineering, by phone, by email, by text or in this case, in person. That way, it’s less likely they’ll be manipulated in the first place.
HOW CAN INDIVIDUALS PROTECT THEIR PRIVACY?
If you’re a Desjardins member whose data was compromised, and even if you’re not, here's how to protect yourself against identity fraud:
Take advantage of credit monitoring offered by Desjardins and other credit monitoring services. This basically alerts you to changes in your credit report and indicates possible signs of identity fraud such as a new account being opened in your name.
Lock down your digital identity and your accounts: this means you need to stop using the same passwords (create a new long one for every site, and store them in a password manager); make sure to enable two-factor authentication wherever possible; and be vigilant about emails you receive, particularly if they’re about the Desjardins breach itself, because phishers will be looking to exploit the fear surrounding this juicy news item
Pay close attention to transactions not only on your Desjardins accounts, but any financial transactions, because SINs, birth dates, and banking habits were potentially exposed, and these are the keys to the kingdom when it comes to identity theft.