Capital One, Desjardins, Equifax. Time for the Financial World to Rethink Data Security

Gene Villeneuve


Following the Capital One data breach, and the long list of breaches that have taken place in recent months, there is a real fear that data security— from social insurance numbers to bank account details – has become an anomaly. One of the largest breaches in North America, Capital One’s exposure of the personal information of more than 100 million people who’ve dealt with them since 2005 seems impossible, and yet, it’s become commonplace. Why hasn’t the Financial Services world awoken to the reality that outdated tech security, including VPNs, and trust in individual employees is no longer enough to insulate them from security threats?

Just last week, North American credit-checking agency Equifax was ordered to pay $700 million in compensation to victims of its 2017 data breach. And bank users are still reeling after the June 20th revelation that Desjardins Group, North America’s largest network of credit unions, leaked the financial data of 2.7 million personal banking clients and 173,000 businesses. The data breach affected 40 percent of users in the Canadian Province of Quebec, where Desjardins is headquartered, and had global reach.  

Capital One, Equifax and Desjardins are among some of the high-profile Financial Services failings. It highlights significant shortcomings in data security and data stewardship in the financial sector. For both Desjardins and Equifax, the breaches came down to the actions of a single employee.

And although cyberattacks continue to be top triggers of data loss, half of all data leaks come down to internal malicious actions, employee or third-party partner error, actions that are arguably preventable with the right safeguards in place.

Data breach costs continue to soar

Astonishingly, businesses haven’t yet woken up to the costs associated with careless stewardship of people’s personal data. IBM and the Ponemon Institute put a price tag on these breaches in their annual Cost of a Data Breach Report released July 23rd. No surprise that the number, breadth, and costs of data breaches accelerated in 2018 and early 2019. 

Key findings from the report show:

-Companies worldwide suffered an average financial loss of US$3.92 million and compromised more than 25,575 records per breach in 2018. 

-The average cost per breach has risen 12 percent over the past five years. And while most breaches are discovered within the first year, more than 10 percent aren’t uncovered until one or two years after the breach has taken place, boosting the overall financial loss.  

-In the U.S. a data breach cost an average $8.19 million last year, nearly twice the global average and 130% higher than in 2004.

-The healthcare sector tops the list as the most vulnerable sector, followed by financial services.

The price of lost business

One of the most expensive outcomes of compromised data is loss of business. In 2019, companies that failed to protect personal information of their clients saw an average 3.9 percent customer turnover. Fully 36% of overall costs following a data breach come down to loss and disruption of business.

As such, a data breach can be devastating for small and medium-sized companies. IBM reports that organizations with between 500 and 1,000 employees have an average breach cost of $3,533 per employee, compared to just over $200 per employee for organizations with more than 25,000 employees.

Nearly half of breaches triggered by an employee 

In the Desjardins incident, there was no malicious attack to infrastructure from outside the company. Rather, it was determined that a single employee was responsible for leaking personal records of financial clients. Desjardins has been quick to get their public relations machine in motion, promptly firing the guilty employee and introducing new identity-check measures for its online and telephone banking clients. But it’s hardly comforting for their clients to know that an individual could so easily access and share their personal data.

Third-party partners and vendors increase the risk of data breach

In early July, Desjardins announced a new inhouse insurance package to protect its clients in the event of a future data compromise. The financial group is also offering clients an optional insurance add-on provided by its new partner, Equifax. This new third-party partnership may trigger more skepticism than trust, however, given the infamous reputation of Equifax where data stewardship is concerned. 

Breaches originating from a third party – such as a partner or supplier – cost companies $370,000 more than average, emphasizing the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.” Cost of a Breach Report, IBM and Ponemon Institute, 2019.

Automated protections

Companies that have data breach response measures in place will suffer fewer financial losses than those without a response plan. But automated solutions to protect against vulnerabilities is a more robust means of preventing a breach in the first place.

For today’s complex global companies, big or small, that’s where Tehama comes in. Tehama creates a secure, cloud-based workspace for IT service delivery and development. By connecting your global and remote teams and your vendors in clean end-user compute white rooms, access is controlled through one central management panel, and all activity is recorded. The software-as-a-service replaces outdated VPNs, insecure hardware, and allows you to tighten and monitor who can access your data, when and where with additional protection against endpoint malware and intrusion. 

We won’t know the full financial impact of these data breaches for months, or possibly longer. Unlike public companies, Desjardins is a co-op that isn’t required to publish their numbers. It may require some investigative work to review their annual report and trace it back to the leaked data. Based on historical evidence, however, we can predict Desjardins will have to compensate its customers – those that haven’t fled – by some token amount, multiplied by 2.7 million impacted customers.

We all know that private and business data is out there, and it’s not anonymized. Your cell phone company, your hydro provider, and the government all harbour your private data. But the standard of care in banking, as we see with Capital One, Desjardins and Equifax, and so many others, is inadequate. Financial companies can and should do better. They can’t afford not to.

To find out how Tehama can help your business work with third-party service providers in an efficient, safe, and cost-effective way, download the white paper. 

More Posts

Subscribe Here!