Data breaches can have a huge impact on you and your business
Ever since the Office of the Privacy Commissioner introduced mandatory data breach reporting in 2018, it has seen more than 28 million Canadians affected in the first year (Getty Images/Cecilie_Arcurs)
In the past few years, several high-profile data breaches involving corporations have made the headlines—Desjardins and Capital One among them. In the Capital One case alone, a hacker stole the personal information of six million Canadians and 100 million victims in the U.S.. As Joe Ayotte, Peterborough county OPP officer, points out in a video on the subject, “They were able to obtain names, addresses, email addresses, postal codes, self-reported income. About one million social insurance numbers were compromised.”
Breaches aren’t particularly new; for example, the TJX fraud, in which 45.6 million credit and debit card numbers were stolen from one of the company’s systems, dates back to 2007. But ever since mandatory data breach reporting was introduced in 2018, there has been a huge increase in the number of reports received by the Office of the Privacy Commissioner (OPC). In fact, according to a blog published by the OPC, more than 28 million Canadians were affected by a data breach in the first year. (Also, data breaches are now being combined with ransomware attacks: see 3 current scams to keep on your watch list—and avoid.)
The consequences of having your financial and other information stolen can be dire: for example, as Ayotte points out, your credit can be affected, and this might prevent you from getting a mortgage or other loans.
HOW TO PROTECT YOURSELF
For individuals:
- Monitor your credit card transactions and if you have fallen victim to a breach, cancel your card or least lock it down.
- Freeze your credit so no one can apply for any additional loans in your name.
- Enter your email address on a site called haveibeenpwned. As cybersecurity expert Scott Williamson explains, this will let you know if your information has been breached.
- Strengthen your password. “A lot of people use weak passwords—like six characters,” says cybersecurity expert Terry Cutler. “But if you want to make a password unbreakable you want to have between 16 and 25 characters.” (Cutler suggests song lyrics or phrases.)
- Monitor your credit score. “When you walk through your credit score, you can see if people are altering it and trying to apply for credit,” says Cutler.
For businesses:
- Know what personal information you have, where it is and what you are doing with it.
- Conduct risk and vulnerability assessments and/or penetration tests.
- Think beyond traditional remedies. As Cutler points out, many companies are still focusing on traditional security (firewalls, encryption software, etc.) rather than detection and response. “But once a hacker gets past traditional security, they can be on your system for six to 18 months before being detected,” he says.
- Consider non-technical vulnerabilities. Are third parties collecting personal information on your behalf without appropriate safeguards?
If a breach has taken place:
- Contain it and designate an appropriate person to lead the initial breach investigation.
- Determine who you need to tell about the incident internally, and potentially externally, at this preliminary stage. Refer to the OPC’s guide on What you need to know about mandatory reporting of breaches of security safeguards.
- Do not destroy evidence.