It’s Data Privacy Day on Sunday January 28th and it serves as an important reminder to pull ourselves up by our digital bootstraps and lockdown all that personal information that we willingly sprinkle all over the internet.
What is Considered Personal Information?
In broad strokes, personal information is that which allows you to be identified. Canada’s privacy law PIPEDA defines personal information as “any factual or subjective information, recorded or not, about an identifiable individual”. It could be your full name. It could be a combination of your name and your date of birth. It could be your address, your religion, your occupation, your blood type, the phony name that you use for your Instagram account or any combination thereof.
Your personal information, should it fall into the wrong hands, can be used for fraudulent purposes - applying for credit cards and loans, accessing your bank account, using your legitimate identity to defraud other people.
How Your Personal Information is Stolen From You
There are a number of ways that your personal information can be stolen:
- Discarded paper in your garbage can or dumpsters that contain your name, your account numbers, your birthdate, or your address. Discarded electronics and digital material like CDs, USBs, hard drives, and old phones can also contain sensitive material.
- Phishing emails that you think are from your bank, shipping company, and other well known companies, contain links to sites that will trick you into divulging account numbers, usernames and passwords.
- Phone fraud (sometimes called vishing) or text fraud where scammers impersonate a legitimate company. Both the Canadian Revenue Agency and BC Hydro are currently warning people about text scams that ask for banking details and social insurance numbers. The CRA scam tries to frighten people by telling them they are being investigated and the BC Hydro scam lures people in with the offer of a refund.
- Malware picked up from visiting dodgy websites can install software on your computer, tablet or phone that can log information that you type, hold your files for ransom, and spy on you from your camera.
- Data breaches at the services that you use online. Equifax was hacked in 2017, Yahoo in 2013, Uber in 2016, Dun and Bradstreet and Saks 5th Avenue in 2017. Your personal account information and your passwords available to the highest bidder.
- Public wifi is not secure and your online activities can be snooped upon while you are using it. It’s common practice for fraudsters set up-up their own wifi hotspots that are named in such a way you think you are connecting to a legitimate coffee shop, public institution or businesses’ network.
But there is another way that your personal information can be harvested and it’s through the the things we do on a regular basis online. Did you an address into a map app this week? Have you tracked your heartbeat with a fitness device recently? Couldn’t resist answering the latest a Buzzfeed quiz to find out what kind of sandwich meat you are? Upload a picture of yourself to find your artist look-alike lately, anyone?
And of course, companies like Google track your activities through your use of their search engine, their email service, their map app etc., and have many, many, many data points about you. When gathered together, they have a frightening amount of information about you. If not used appropriately, or sold to advertisers, or stolen - all of that data can have algorithms applied to it that can distill down that information to identify you.
How to Keep Your Personal Information Safe and Prevent Data Breeches
There are many things you can to protect your personal information.
First, the obvious steps you can take to protect your identifiable data:
- Don’t send your banking or tax information via email or text. Neither Canada Revenue nor your bank will request that from you. You can ignore any texts that purport to be from these kinds of institutions, and you should always hang up and call the official bank and CRA phone numbers if someone calls you and requests this information.
- Don´t open emails from senders or addresses that you don’t know, and don´t provide sensitive information via email.
- Look at the links in the body of an email and confirm that they are legitimate addresses before you click on them.
- Stay away from websites that play fast and loose with copyright. Torrenting Game of Thrones can lead to a bad case of malware.
- Shred any documents that show your name or account numbers. Have old computers, phones or usb drives that have stopped working? Smash them with a hammer, or extract the hard drive back your car over it! (Fun, right?)
- Keep your operating system software and your antivirus software up to date.
- Create passwords that are tougher to crack by adding in numbers and special characters. Use different ones for different services and change them all frequently.
- Don´t download or launch attachments from sources that you are uncertain of.
Now for some of the less obvious things you can do:
- Lie like a rug. Want to do a quiz but it needs your name and birth date? Lie about your age and create an “internet name”. Your name and date of birth are the keys to your castle so feel free to change your name from John Smith to Jared Smithson and become a younger, more Aquarius version of you!
- Cover your webcam when not in use. Especially if you are a woman.
- Add your phone number as an authentication tool to all of your social media and email accounts. Gmail, twitter etc will all text codes for you to authenticate yourself online when you are making any account changes.
- Don’t enter any personal data over public wifi.
- Keep your LinkedIn profile simple. Your profile is public unless you hide it and letting the world know exactly what you do at your job could lead to identity theft.
It’s important to remember that the threats that can compromise your personal information are the same threats that can compromise the data and computing infrastructure at your company.
When links clicked in phishing emails take the user to a malware site that then infects the machine, there is the potential for that piece of malware to then exploit vulnerabilities and infect all of the machines on a company's’ network.
Computers and servers that have not had their operating systems patched are vulnerable to being exploited by worms, malware and ransomware. Ransomware is particularly insidious as perpetrators use it to lock down files needed for the business and not unlock them until a ransom is paid. Locked files can interrupt the ability to process things like sales, payments, and bookings, and in the case of the recent WannaCry attack, the ability for hospitals to treat patients.
Phishing has also been a culprit for major security and data breaches. Wired magazine reported on a Brazilian bank that had all of their online services replaced with look-alike web pages that captured account information and passwords. How was this possible?! Didn’t people realize that they weren’t at the legitimate website? Shouldn't the incorrect domain name have been a dead giveaway?
The brazen theft was accomplished after cybercriminals took control over the bank’s domain account at the registry operator level, most likely by utilizing a phishing email sent to the domain administrator that enabled them to capture the account’s username and password. Once they had access to the domain account they changed the DNS so that all web and email traffic went to the pages that they had set-up. Because the legitimate domain names were used, users had no indication that they were on an imposter website.
How to Protect Your Domain Names and the Personal Information Associated With Them
While we can’t stop employees from clicking on links in phishing emails, Webnames can help protect your domains so what happened at the bank doesn’t happen to your company.
There are four levels of security available for your domain names. It starts with Domain Privacy which substitutes non-personally identifiable information in place of your personal or business contact details (e.g., names, email addresses, phone numbers, etc.) to anonymize the domain’s WHOIS record. Next we can lock your account down to a specific IP address. If you still want additional protections in place, we can up the ante by locking down your domain within your webnames account and at the registry level.
Protecting personal information and business data does take work - and it does become a game of whack-a-mole when you think you are doing everything right and someone else exposes your data and then you have to change all your credentials again. But by following the recommendations on how to protect yourself and your business you are at least one step ahead of the attackers which hopefully let’s you rest a little easier at night.