Insight. Innovation. Industry.
Risk Management / Technology /  •

The high stakes of a data breach

Hackers thrive on stolen information. Is your credit union protected?

data breachLast August, husbands and wives took to the Internet to check up on their spouses.

People looked for the names of friends, enemies, co-workers and celebrities. Some 33 million client files from the cheaters’ hookup site Ashley Madison lit up the web, dumped there by hackers who said they were disgusted by the site’s business model. The company had assured clients that their data was safe. It wasn’t.

The Ashley Madison hacking has turned out to be a nightmare, not only for the website and its clients, but also for the thousands of innocent people whose emails were ripped off by real Ashley Madison customers: the company did not require email addresses to be verified. Within days, according to Toronto police, at least two people whose names were in the data dump killed themselves. Several class action lawsuits, including one for $750 million, were filed against Ashley Madison and related companies.

The consequences of a data breach

Financial services institutions, of course, function using a much different kind of personal information — but it’s meant to be just as private. Imagine the consequences if a data breach happened to a credit union. A leak in the system would be traumatic for everyone, but data protection is particularly important to the younger generation of potential members that the credit union movement needs in order to remain viable. They expect instant communication on different platforms such as tablets and smartphones. Yet they’re also keenly aware of the recent Ashley Madison disaster.

The 2013 data breach at retail giant Target, when thousands of credit card numbers were hacked, also heightened concerns about the safety of private financial intelligence. The information rupture cost Target $10 million to settle a class-action lawsuit, plus a lot of consumer goodwill.

And according to the American Bankers Association, Target had to reissue 6.8 million credit and debit cards out of concern for fraud, costing financial institutions more than USD$60 million — resources that could have been reinvested in the community and in better technology, products and services for customers.

Not just criminals

Criminals aren’t the only ones who are hackers. Intelligence and law enforcement agencies also scour the Internet looking for any data that can be useful to governments. In the U.K., Prime Minister David Cameron said intelligence agencies need to have back doors to encrypted data management systems. In Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) wants to know about any suspicious activity by clients of Canadian financial institutions.

As well, in August 2015, members of the Canadian Association of Chiefs of Police told the federal government that they wanted far easier access to Canadians’ online records, including warrantless searches of Internet subscriber data. And a new $2 billion building recently opened in Ottawa to house Communications Security Establishment Canada (CSEC), the federal government’s codebreakers and signals interceptors. There’s no reason to expect CSEC or other spy agencies will leave us alone, just because they’re ours.

Since 2005, The Globe and Mail reported recently, “CSEC has been systematically mining the metadata of Canadians’ electronic communications — phone calls, emails, text messages, Internet visits, and collecting thereby, information that can be used to develop comprehensive profiles of the habits and social networks of targeted individuals and groups.”

CSEC has been systematically mining the metadata of Canadians’ electronic communications — phone calls, emails, text messages, Internet visits …

Privacy: a valuable commodity

Dr. Ann Cavoukian, executive director of the Privacy and Big Data Institute at Toronto’s Ryerson University, says protection of data is becoming a big issue for consumers. Cavoukian served three terms as Ontario’s Information and Privacy Commissioner and is the author of The Privacy Payoff: How Successful Businesses Build Customer Trust. She says privacy is a valuable commodity in a world where the perceived threat of terror is growing and governments are pushing for more access to very private information.

“There’s been enormous pressure on telecoms to hand over information to security agencies and they’ve given up emails, texts and live calls. Telus took this all the way to the Supreme Court and won,” she says, referring to a 2013 decision that Canadians’ digital communications should get the same privacy protection as voice conversations during police investigations. “For financial institutions, there are probably similar pressures [from] government to give information [or keys to encryption]. Next to health information, our financial data is the most personal information that we have. The data says so much about us. We don’t want to share it with anyone, including the government.”

Protection — to a point

Canadians do enjoy some protection from potentially intrusive government groups. All Canadian financial institutions — and anyone else who uses personal information for commercial purposes — must follow the rules of the Personal Information Protection and Electronic Documents Act (PIPEDA), which was passed in 2001. At the time, Canada was trying to work out a free trade agreement with the European Union (EU), which takes privacy very seriously. Ottawa needed information and privacy laws that conformed to the EU’s rigorous standards.

Nonetheless, officials appear to be increasing the pressure on various organizations to share confidential material as incidents of homegrown terrorism make headlines.

The complexity of encryption

Email encryption systems are complex. Smaller organizations, especially, have problems with managing the critical bits of information known as keys. They also struggle with deploying servers and dealing with major changes in mail flow. Yet all these skills are needed to keep unwanted eyes off of electronic files.

Echoworx, which has its head office in Toronto and also operates in the U.S., the U.K. and Europe, has sold encryption software to Dell, Symantec, AT&T and Verizon. The firm realized the Canadian credit union system was a good market for high-security data protection and in October 2014, it partnered with Celero to offer email encryption software to credit union clients. The software monitors two-way communications, ensuring account statements, loan applications and insurance forms are safeguarded.

Credit unions also use the software to secure sensitive documents needed by regulators. At present, more than 3,000 credit union employees in Canada use Echoworx’s encryption software and secure data storage, making it a major provider of managed encryption services for Canadian credit unions.

All the data, whether it is moving or stored, is handled in data centres that comply with the requirements of payment card industry standards and meet the standards of Statements on Standards for Attestation Engagements (SSAE 16). The software can intelligently determine the best technology to encrypt email based on the recipient’s ability to decrypt the message.


Don Walker, chief auditor with Credit Union Central of Saskatchewan and head of INTERAC® compliance for the organization, believes the use of such encryption software was long overdue. “Everything’s connected to everything,” he points out. “Computers and servers are left on all the time, so if someone gets to your hard drive and into your computer, encryption software stops them from getting to your data.”

The software challenge

Ryan Tollofson, director of marketing at Echoworx, says his company’s software operates on a private cloud platform and that credit union members can be sure their accounts are at least as safe as those in any bank. “Sometimes credit unions are much farther ahead of banks,” he adds. “The banks are driven by compliance, while credit unions are driven by innovation. The small size of many credit unions makes them more nimble, more open to new ideas and new ways of looking at things.”

The challenge for software makers was to come up with software that was somewhat invisible to the people who use it. Surveys have found that people worry about privacy, but are careless with the way they look after their own information. The software sold to credit unions is, Tollofson says, “easy to use, so that it is no problem for clients who have no technical expertise. It is also easy for credit union employees, who simply press a button to encrypt the material. Some credit unions have chosen to upgrade to content-scanning. Even if an employee forgets to encrypt an email, the software scans it and looks for credit card numbers and other sensitive data, then automatically encrypts the file.”

Like Cavoukian, Tollofson believes money spent on data protection is an investment, not a business expense. The value comes from the ability of credit unions “to be able to tell your clients that you are careful with their data and that you have effective ways of protecting it. Compliance [with PIPEDA] is the tip of the iceberg.”

For her part, Cavoukian developed a management protocol called Privacy by Design in the mid-1990s, years before cyber security became an issue. Its name refers to the philosophy and approach of embedding privacy into the design specifications of various technologies. The system encourages businesses to think about privacy issues at the very beginning of a project and work on protecting privacy at each stage of product development. Its guidelines, which have been translated into 37 languages, are meant to complement — not replace — compliance to legislation.

“Wouldn’t you want a preventative medical model, rather than one that relies on surgery and chemotherapy to deal with illness?” Cavoukian asks. “Companies need to identify privacy rights and issues at the front end and build in protection. Big Data. Big Privacy. How do you build those into the DNA of your organization? Privacy protection is positive-sum, not zero sum. You can have privacy advocates and businesses working together when business leaders see there is a positive in privacy. When it comes to privacy, distrust is at an all-time high, not just in terms of distrust of the state, but also in terms of fears about businesses.”

Regulation fatigue

Tollofson says Canadian businesses are keeping up at the industry level with competitors overseas and although this country has never been a leader on privacy, we’re certainly doing as well as the United States — if not better.

In October 2014, an employee of the regulatory National Credit Union Administration (NCUA) lost a thumb drive containing personal credit union member information including the names, addresses, Social Security numbers and account numbers of around 1,600 members of the Palm Springs Federal Credit Union, a $13 million cooperative in Palm Springs, California. Debbie Matz, chair of the NCUA board said the agency was considering proposing a data encryption rule following that data breach.

Yet the National Association of Federal Credit Unions (NAFCU), the trade organization for credit unions in the U.S., maintained there was no reason for regulators to insist on more data encryption rules after that event. In a 2015 media release, Alicia Nealon, NAFCU’s director of regulatory affairs, contended that credit unions already follow data security regulations, although she allowed that the system had to find better ways to protect members’ data. “Rather than promulgating additional regulatory burdens on credit unions, NAFCU should take a look internally at what actions the agency can take to better protect the credit union data in its care,” Nealon stated in the release.

No security guarantees

In any event, the world is becoming a tough place for every company or person who values privacy. Dr. Vincent Mosco, professor emeritus of sociology at Queen’s University and author of To the Cloud: Big Data in a Turbulent World, says being cheap with data protection systems increases the possibility of serious trouble. “No system can be guaranteed to be completely safe, even the ones that claim to have the highest security and charge the highest rate,” he says, but the better ones rely on a private cloud service, rather than on cheaper data storage in the “public” cloud, which is hosted on servers in China and other low-cost countries.

“No system can be guaranteed to be completely safe, even the ones that claim to have the highest security and charge the highest rate”
—Dr. Vincent Mosco, Queens University

Mosco says computer hacking happens all the time. Businesses can’t delude themselves that hacking is rare just because breaches only make the news once in a while. Mosco, who is writing a paper on computer hacking for the Canadian Centre for Policy Alternatives, remarks that he has to change it all the time because new incidences of hacking occur regularly. “People in the industry say hacks are happening every day, but companies don’t report them unless they absolutely have to,” he says.

When it comes to privacy breaches, credit unions, of course, have a responsibility to be transparent. Better to put all possible safeguards in place beforehand, however, to ensure such ruptures don’t happen. ◊