6. The report says the breach compromised the data of nearly 9.7 million Canadians. The accounts included seven million based in Quebec, said Diane Poitras, the president of Quebec's Commission d'accs l'information.

   For at least 26 months, a "malicious" employee copied sensitive personal information collected by Desjardins from customers who had bought or received products offered directly or indirectly by the organization, the report says.

   The information was originally stored in two data warehouses to which the employee had limited access. However, other employees, as part of their work, would regularly copy that information onto a shared drive. As a result, employees who would not usually have the required clearance or the need to access some of the confidential data were able to do so, the report says.

   Speaking to reporters, Therrien called it unacceptable that a company the size of Desjardins didn't have the ability to prevent the breach.

   "Canadians expect banking information to have a high level of protection, given its sensitivity," he said.

   The privacy commissioners' probe found a series of gaps in the company's administrative and technological safeguards, including:

7. Desjardins didn't ensure the proper implementation of its policies and procedures for managing personal information, some of which were inadequate to begin with.
8. Access controls and data segregation of the databases and directories were inadequate.
9. Employee training and awareness were lacking given the sensitive nature of the personal information the organization had.
10. The company didn't have procedures regarding the periodic destruction of personal information.
11. In wake of troubling breach, Desjardins pushes digital ID procedures as safer way to store data
12. 4.2 million Desjardins members affected by data breach, credit union now says

13. "Desjardins had recognized some of the security weaknesses that ultimately led to the breach and had developed a plan to remedy them. Nonetheless, it failed to rectify the issues in time to prevent what happened," said Therrien.

    "Moreover, the breach occurred over more than a two-year period before Desjardins became aware of it, and then only after the organization had been notified by the police."

    However, Therrien said he is satisfied with the mitigation measures Dejardins offered to the affected customers after the breach.

    For its part, Desjardins said it wasn't conducting interviews in response to the report. In a statement, the company said that it will work over the next few years to create what it called a digital identity platform. The company said this will allow information to be shared more securely and give people more control over their own data.

17. The compromised personal information was originally stored in two Desjardins data warehouses, the credit data warehouse and the banking data warehouse. Access to the latter was segmented according to whether the information was confidential (which included personal information) or non-confidential. The credit data warehouse was not segmented, and employees with the necessary authorizations could access all of the data, including personal information.
18. Our investigation revealed that in the course of fulfilling their duties, certain employees from Desjardins marketing department copied the compromised personal information from both data warehouses to the marketing departments shared directory accessible to all employees of the department. These employees had the necessary authorizations to access the data warehouses, including confidential information (and personal information). The employee identified by Desjardins as the source of the breach, referred to in this report as the malicious employee, did not have access rights to personal information held in the banking data warehouse. However, he did have access to other non confidential information contained in this warehouse.
19. More precisely with respect to the above, each month one or more employees performed an automated transfer of personal information from the credit data warehouse to their user folder(s) in the marketing departments shared drive. Other employees in the marketing department copied confidential personal information from the banking data warehouse to a shared drive. Once transferred, employees who did not have the necessary authorizations to access the confidential information in the data warehouses were able to access it freely.
20. Between March 2017 and May 2019, the malicious employee copied this personal information from the shared drive, including information he would not normally have access rights to in the banking data warehouse, onto his work computer and then onto USB keys. This was in contravention of the confidentiality agreement he signed in the course of his employment.
21. According to various media reports, the malicious employee is suspected of having sold some of the personal information to a private lender. Some of the information was reportedly then forwarded to a second private lender, who was also a mortgage broker, and his partner, an investment and insurance advisor^Footnote1. This partner allegedly admitted to investigators from the Autorit des marchs financiers that he paid $40,000 to buy lists of Desjardins members personal information^Footnote2. As of the completion of this report, the police authorities were still conducting their investigation into the Desjardins Breach.

22. How the breach occurred

23. Our investigation revealed that the compromised information was copied by certain Desjardins marketing department employees from the two data warehouses to the marketing departments shared drive. As mentioned above, these employees had the necessary authorizations to access the confidential information.
24. Each month from January 2016 to June 2018, one or more employees from the marketing department used a manual script to transfer data, including personal information, from the credit data warehouse to their user folder in the shared directory. Desjardins characterized this operation, of which several employees were aware, as being non-compliant with best practices.
25. On September 18, 2017, and November 13, 2018, certain employees of the marketing department copied confidential information, including personal information, from the banking data warehouse to the shared directory. This information was copied into subfolders that were accessible to all the employees in the marketing department. Desjardins also found that these practices were not compliant with its rules. These employees should have copied the protected information into the confidential folder of the marketing departments shared directory.
26. The malicious employee did not have the necessary authorizations to access the confidential information in the banking data warehouse. By using personal scripts, the malicious employee was able to compile the data saved by his colleagues in the shared directory. The malicious employee then saved this information in his user folder and in another folder of the marketing departments shared directory.
27. He then used file sharing software to transfer the compiled information to his work computer and then onto USB keys.

28. Analysis

29. The affected personal information varies depending on the product or service received by the Desjardins member or client. For some, it includes first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. Such data elements can be considered sensitive on their own. When combined, they can also be exploited by malicious individuals to steal the identities of the persons concerned. Therefore, in accordance with PIPEDA, the security safeguards implemented by Desjardins to protect this personal information should be commensurately high.
30. Prior to 2019, Desjardins invested a significant portion of its overall information security budget to fight against external threats. However, the breach that is the subject of our investigation is internal in nature. These breaches are those that occur as a result of actions taken by people who work within an organization and may compromise the confidentiality, integrity and availability of information held by the entity. They can be intentional or not, and are more difficult to prevent than attacks caused by external threats, in particular because they are the work of technically competent employees who know the companys systems and security weaknesses, where information is located, and how to circumvent the protective processes in place.
31. There are generally three types of insider threats. The first type is unintentional and non-malicious, such as when an employee downloads a document onto their computer because they are unaware of the existence of policies and procedures prohibiting this act. The second type is intentional but non-malicious, such as when an employee copies personal information to an open shared directory to speed up their work, despite policies and procedures prohibiting this practice. Finally, the third type is intentional and malicious, such as when an employee copies confidential information onto a personal USB key, knowing that this violates existing policies and procedures, doing so for personal gain, revenge or as a form of protest.
32. The investigation revealed that Desjardins is an organization in which a sense of employee belonging is very present, and where there is a climate of trust. It is commendable to have a trusting relationship with employees, but it must also be accompanied by a culture that adopts verification and control measures. Although the organization had implemented certain measures to deal with an insider threat, we found that it did not have all the necessary measures in place to detect the scheme carried out by a malicious individual who, according to Desjardins, was a skilled and high performing employee, and who was a key resource for many of his colleagues. In our view, the absence of a culture of vigilance against internal threats significantly contributed to the breach.
33. Several measures can be taken to combat insider threats. For our analysis in this case, we focused on the five elements below. We consider them particularly relevant to the breach that occurred at Desjardins:
    1. Security screening and confidentiality agreements
    2. Organizational policies and procedures
    3. Employee training and awareness
    4. Access controls and data segregation
    5. Oversight and monitoring

34. Security screening and confidentiality agreements

35. Security screenings are the first line of defence against insider threats and are considered an organizational protective measure (see Principle 4.7.3 (b) under PIPEDA). It allows the organization to identify job candidates or employees with suspicious backgrounds or conduct that make them unsuitable to be given access to certain resources.
36. At the time of the breach, Desjardins was conducting security screenings^Footnote4 before hiring employees or when transferring them to a new position. For employees in designated positions, security clearances are renewed every five years.
37. Desjardins stated that its security division had conducted a security check on the malicious employee prior to his hiring. The screening raised no concerns. After he was hired, the employee signed a code of conduct attestation on an annual basis. He also signed a confidentiality agreement specific to his duties.
38. The OPC found that Desjardins security screenings are acceptable and consistent with currently recognized standards and practices.^Footnote5 While security screenings are necessary, they are insufficient on their own to combat insider threats. Additional security safeguards are required, such as policies, training and control measures.

Step 2: The report by the Office of the Office of the Privacy Commissioner of Canada provides for an analysis of technical, organizational and HR related weaknesses that lead to the data breach. The data breach occurred due to the actions of a malicious employee. Respond to the following based on your reading of the report.

1. What was the motivation/reward that would prompt the malicious employee to perform the data breach? In essence, why did they do it?
2. Identify at least two structural failures that allowed the data breach to occur.
3. Identify at least two process/security failures that allowed the data breach to continue over the two-year period noted in the report.
4. Identify at least two HR failures that allowed employees to engage in the continued data breach.
5. The report includes a series of HR/employee related recommendations. In your opinion, are these sufficient to restore public and organizational trust? Explain your rationale.
6. As an HR practitioner, what additional steps would you put into place? Explain why these are necessary from an HR perspective.