Employee Perpetrated Data Breach Compromises 2.7 Million Customer Records and 173,000 Businesses

massive data breach recently was discovered at Desjardins, one of the largest federations of credit unions in North America. Information related to names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits of 2.7 million group members and 173,000 business customers were compromised. The data breach was perpetrated by an employee who since has been fired.

While cybersecurity remains a real and constant priority, the focus of many businesses tends to be on threats that are external – i.e. hackers, computer viruses, etc. However, incidents like the one that just came to light at Desjardins and similar situations elsewhere (including this recent one in the healthcare field) demonstrate that the threat from within an organization can be just as grave when employees have access to sensitive information and/or internal security is too easily compromised. According to some experts roughly a third of reported breaches are caused by an insider.

In this specific case, no credit card data was among the compromised information. However, the incident demonstrates that protecting critical information from within is equally as important as protecting from external threats.

Think about your own situation. If you are running a business or an organization in which your customers provide your staff with credit card information over the telephone, how secure is your own people payment environment? For example, are your computer stations locked down i.e. are they only set up to be used for entering information in one spot, as opposed to people having multiple windows open to perform a variety of other tasks? Do people keep their personal phones at their desks, or pens and paper? If the answer is yes to any of these then not only are you vulnerable to a breach from within where your customer’s credit card information can be compromised, you are also in violation of PCI compliance standards.

Lessons

The lesson to be gained from the fallout from what happened at Desjardins and similar occurrences is not that employees are inherently untrustworthy but rather the importance of securing all your payment channels so that their trustworthiness is not even an issue. Allowing your customers to call in to pay for products and services over the telephone, means that you are taking all responsibility for securing that payment channel and liability if any information is compromised.

If you accept payments of any kind over the phone you are also subject to PCI compliance and need to adhere to the requirements that pertain to that. PCI requirements are also much more technical than other industry standards and involve the need to oversee and control areas of business activity that many organizations are not used to managing closely. There is a complete set of guidelines for PCI compliance specific to a live staff environment. You can find more information on PCI compliance here.

Taking Action

As a business manager your goal needs to be removing the inherent risk you run when your live staff handles credit card information. In addition to implementing formalized information security policies you can implement measures that remove or limit employee access to sensitive information.

One approach to achieving this is by deploying Automated IVR Pay-By-Phone technology which removes your live staff from collecting, listening or being exposed to any customer credit card information.

You can employ a fully automated Pay By Phone (IVR Payments) solution that can process payments 24/7, or you can adopt a hybrid approach where your live staff assists customers up to the point where credit card information will be exchanged. Either way, your customers can rest assured that their credit card information is not being potentially compromised by being accessible to a live staff. This is not only an advantage for customers, but businesses benefit as well from the increased security and cost reduction that follows with any type of automation. Ensuring PCI compliance saves both time and money (the fines associated to a credit card data breach are steep, not to mention the lost business and bad publicity) which can then be used instead to improve and expand your business.

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance