If you receive a notification from a company that your information may have been involved in a data breach, don’t dismiss it. Breach notifications are a relatively new requirement for companies. The aim is to ensure victims are informed of the loss of their data and their resulting vulnerability and exposure to cyberattack. The problem is that very few people actually do anything with this information. They have become such a regular occurrence they no longer prompt us to take the necessary steps to protect ourselves. Instead of taking action, we cross our fingers and hope that nothing worse comes from it, awaiting the next email to learn if it did.
Some recent breach notifications
In 2020, the Canadian Revenue Agency (CRA) announced it was the victim of a series of cyberattacks that allowed hackers to access 5,600 “My Accounts”. They advised impacted Canadians will be notified that their account was breached and what to do about it. These notification might look similar to the one 8,000 Canadians received related to the Equifax breach, or Lifelabs whose breach affected 15 million customers (almost all of them in Ontario or BC). There is a Yahoo! email circulating widely relating to a breach (and settlement) that affected 3 billion users worldwide.
Using your leaked information against you
This is actually what makes the CRA breach noteworthy. The attackers used a technique called “Credential Stuffing”, which essentially targets people who use the same password and username for multiple site logins. The credentials were legitimate. They were likely originally stolen from other breached sites. This is somewhat similar to a recent and terrifying scam where hackers are sending victims an email with one of their old passwords in the subject line claiming they have hacked their account, installed malware and recorded a video of the victim visiting adult websites. These old passwords are also often real ones harvested from previous data leaks. In both cases, the effectiveness of the attack is using our own real previously leaked, probably still unchanged, information against us
Why does it matter?
While on its own a breach may feel insignificant. To the hackers, it’s another piece of a puzzle they are putting together to identify their victims, design and launch their attacks. If you aren’t paying attention I guarantee you they are. If you aren’t acting to protect yourself, you leave yourself dangerously exposed. The results can be devastating; including serious fraud, extortion, identity theft, corporate espionage, online harassment, invasion of privacy and stalking.
What should I do?
It is therefore so important to stay vigilant and take responsibility for your personal cyber security. When you get a notification:
- First ensure it isn’t a phishing attack
- If it is legitimate, take the recommended remediation steps or seek assistance
Your company may be responsible for your phone and computer security but may not be there to help with your CRA account, your personal Lifelabs health records or that extortion email you receive in your personal email account. Don’t hesitate to Get in touch if you need some assistance.