Uber hack latest example of why vigilance required to keep your wallet safe

By Craig Wong

THE CANADIAN PRESS

OTTAWA _ When Doug Hoyes had his credit card information stolen, fraudsters used it to pay for three taxi rides in Toronto.

He wasn’t in that city, but discovered the charges while routinely checking his card transactions online and notified his bank, which cancelled the card.

Hoyes, a licensed insolvency trustee, says the incident illustrates the importance for individuals to keep a watchful eye on their statements in a world where financial information can be stolen in a myriad of ways.

“I realize that the bank will probably cover you anyways, so you’re not going to lose any money, but do you really want to wait until they’ve used up your credit limit and you’re trying to put gas in your car and you can’t because you’re over your limit?”

Earlier this week, ride-hailing company Uber came clean about a year-old hack that compromised the data of 57 million Uber riders. The information stolen included names, email addresses and mobile phone numbers. The number of Canadians affected was not immediately known.

News of the security breach comes just two months after Equifax Inc. said some 145 million consumers _including roughly 8,000 Canadians _ had personal data, and in some cases credit card details, stolen by hackers in a massive data breach earlier this year.

The thefts were the latest in what has become a regular occurrence of hackers breaking into systems and stealing customer information.

While individual pieces of information like the email addresses and mobile phone numbers that were taken in the Uber theft may seem innocuous on their own, when thieves combine it with other information that may be available elsewhere, it can spell trouble.

But even if you weren’t affected by the Uber or Equifax data breaches _or any others so far _ you need to be vigilant because hacks are going to happen, he added.

“If you weren’t impacted by this one, you probably will be impacted by the next one.”

If your information is hacked, you need to change your passwords and your PINs to something that is not easily guessed, advises Lynne Santerre, a spokeswoman for the Financial Consumer Agency of Canada.

Santerre added that if you’ve been compromised you should also contact the major credit bureaus and ask for a fraud alert to be placed on your file.

“That tells lenders to contact you before approving any application for credit in your name,” she said.

“So if anyone is trying to take out credit in your name, you’ll get a phone call and you’ll be able to confirm whether that application was yours.”

Hoyes noted that much of the job of securing your information online isn’t up to you, but rather the companies storing it. But, he added, there are still things you can do such as reviewing credit card transactions and cancelling any credit you don’t need.

Both Hoyes and Santerre recommend regularly checking your credit report with the two major agencies in Canada _ Equifax and TransUnion.

Checking your credit report can tip you off if your information was stolen because you will see if there are any accounts you don’t know about that may have been opened fraudulently.

Hoyes also advised against giving out your social insurance number unless required because the more information that is out there, the more at risk you become.

If your card issuer offers you an alert service that sends you a message when your card is used, it can be a great way to keep an eye on charges. But, Hoyes added, it’s not enough to rely on the fraud protection systems at your bank.

“You’ve got to be in charge,” he said. “You’ve got to take responsibility here and be looking at these things on a regular basis.”

Cybersecurity: How Safe Is Your Workforce?

Article by Davids Blackmore

In mid-May 2017 unprecedented global hacks brought organisations including the NHS, Telefónica and FedEx to a standstill.   Incidents such as this ensure that the public focus is firmly fixed on attacks by faceless criminal third parties.  However when it comes to the protection of vital corporate and client data organisations must also recognise the risks much closer to home, posed by their own personnel.  IBM’s “2016 Cyber Security Intelligence Index” found that 60% of all attacks were carried out by insiders.  Three quarters of these attacks were malicious, with the remainder involving reckless or inadvertent breaches by employees.  It may be necessary to think again about how we tackle cybercrime, given the potential business ramifications, financial, reputational and operational.

Employee risk

Cyber risk isn’t just a matter for an organisation’s IT department or about having the most-up-to-date software.  Employees need to be trained to understand cyber risk and given the tools to identify and deal with such risk appropriately.  This can only be done effectively if the whole organisation buys into the process.  This is fundamentally a governance issue: as with any other area of risk, it must be managed coherently with arrangements covering all of those who can access organisational information, including directors, employees and contractors.

Human error and malicious intent

Not all data breaches are deliberate or malicious: many are down to simple human error.  It may involve a lost memory stick, an email inadvertently sent to an incorrect email address or papers being left in a public place.  For example a mis-sent email sent from a London NHS Clinic in May 2016 attracted a £180,000 fine from the UK Information Commissioner after it revealed the email addresses of 700 users of an HIV clinic, the sender having typed the addresses into the “To” box rather than using the “Bcc” (blind copy) option.  Similarly, dating website Guardian Soulmates saw the email addresses of its subscribers made publicly available as a result of human error on the part of a third party contractor.

Breaches frequently involve individuals sending confidential data out of secure work systems to personal email addresses, including to “bank” information in the event of a future dispute or for the purposes of new employment.  For their “End-User Security Survey 2017” Dell commissioned a global survey of 2,608 professionals who handled confidential data at companies with 250+ employees in order “to find out how widespread the unsafe sharing of confidential data has become”.  Dell’s results showed that “72% of employees are willing to share sensitive, confidential or regulated company information”.

Data breaches can have a catastrophic impact.  A good example is the 2015 Panama Papers case involving the offshore law firm Mossack Fonseca.  An anonymous source leaked more than 11.5 million client files, going back four decades, to the German newspaper Süddeutsche Zeitungi.  When news of the leak broke, the firm vehemently denied that there was anything wrong with the integrity of its IT systems, stating that it had been the victim of a hack by an outside third party.  It ultimately transpired however, that the data had been disclosed by an employee of the firm, a disgruntled IT worker who systematically uploaded large amounts of client data over a prolonged period of time – purportedly because of moral concerns around worldwide income inequality.

According to the International Consortium of Investigative Journalists, an estimated $135 billion was wiped off the value of nearly 400 companies after the Panama Papers.  Like the hacks affecting the NHS and others, the case demonstrates the extraordinary power of modern technology to stop business dead in its tracks.

What can you do to minimise the risk to your organisation?

The Cyberedge Group’s “2017 Cyberthreat Defence Report” says that “once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defences, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year…”

So what can be done to address this problem?

There is no absolutely failsafe method of protecting your company data: an organisation is only as strong as its weakest link.  However businesses can be alert to the risks, put in place appropriate plans to minimise the likelihood of a breach and have a breach response plan in place.  This will ensure that if there is a breach the situation can be managed and damage minimised.  Insurance policies should be reviewed, as the right policy may provide specialist external support in the event of cybersecurity incidents.

Education, education, education.

Equipping employees with the skills to recognise and manage cyber and information security risks, raising awareness of cybersecurity issues and instilling a culture of good data management will help build an organisation that appreciates the importance and value of the data that it holds.  In particular a business should:

  1. Identify and understand the information held by the organisation, who it belongs to and why it is important.
  2. Identify the cyber risks that exist and the assets you are trying to protect.
  3. Put in place a robust (but workable and easy to understand) cybersecurity policy so your staff understand the risks faced by the organisation, how they must deal with information and what they must do if the integrity of the organisation’s systems is breached.
  4. Educate your workforce to recognise and respond to security issues which arise.

So are employees a risk to the integrity of your business?  Yes.  But they can also be your first line of defence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

October is Cyber Security Awareness month

Aviva Canada

Did you know?

In 2016, Canadians lost $40 million to online scams. With identify theft and other online security breaches on the rise, consumers need to be aware of how to protect themselves.

What is identify theft?

Identity theft is when someone uses your personal information – like your credit card, Social Insurance Number or name – without your knowledge or consent, to commit fraud. Some common ID theft scams include creating false lines of credit and making purchases using a stolen bank account or credit card.

According to the Ontario Securities Commission, your identity is at risk when:

  • you enter your credit card information online on a non-secure website
  • you click on an email link from what looks like a legitimate bank or online shopping service (eg. PayPal) and enter your account information
  • your personal information (Social Insurance Card, credit card or bank card) are stolen
  • you give out your credit card’s three-digit security code over the phone to a scammer who claims to be from your financial institution
  • any time your personal information is available to others

Aviva’s Identity Theft coverage is now even better

Aviva has introduced an enhanced ID Theft coverage – offering customers even more peace of mind as they tap, swipe and click their way through life. As one of the most comprehensive on the market, it features widespread financial protection if your identity is compromised, including:

  • an increased limit of $40,000 per policy term for all ID theft expense claims
  • a $5,000 limit per policy term to cover any financial loss due to ID theft
  • 24/7 credit bureau monitoring and two credit bureau reports for six months after an ID theft claim
  • access to your own ID theft case worker to help you identify and restore your finances and personal information after an ID theft claim

Don’t let thieves get the upper hand – learn more here or contact an insurance broker to add Identity Theft coverage to your home insurance policy.

How the cyberattack on Equifax unfolded and the fall out that followed

Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.

It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.

Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:

_ _ _ _

Early March: The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.

_ _ _ _

May 13 to July 30: Hackers have unauthorized access to Equifax Inc.’s files.

The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.

_ _ _ _

July 29: Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.

The company says in later communication that it “acted immediately to stop the intrusion.”

_ _ _ _

July 30: The same team observes more suspicious activity and the company takes the affected web application offline.

_ _ _ _

Aug. 2: Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.

_ _ _ _

Sept. 7: Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.

“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.

_ _ _ _

Sept. 12: An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.

_ _ _ _

Sept. 14: The Federal Trade Commission says it is opening an investigation into the hack.

The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.

_ _ _ _

Sept. 15: The Office of the Privacy Commissioner of Canada launches investigation into the breach.

Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.

_ _ _ _

Sept. 19: Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

____

Oct. 2: Equifax provides an update saying a completed review determined that personal information of approximately 8,000 Canadian consumers was impacted, down from its original estimate of 100,000.

However, it said the review added about 2.5 million Americans to the list of those affected by the massive cyberattack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.

Beazley Canada strengthens its cyber risk team

Specialist insurer Beazley has appointed Miki Ho as cyber risk underwriter. Based in the company’s Toronto office, Mr Ho’s focus will be on developing Beazley’s portfolio of cyber liability and technology risks for large enterprises in Canada.

Mr Ho joins Beazley from Allianz where he was a senior underwriter for cyber and professional liability risks, following previous underwriting and broking roles with a portfolio of clients in the financial institutions sector.

Paul Bantick, Beazley’s Technology, Media & Business focus group leader says: “We are excited by the opportunities we see to support Canadian businesses against the risks of cyber liability and data breach. With the cyber and technology risk landscapes changing rapidly and the number of data breaches unabated, the demand for cyber insurance products is growing strongly. With Miki having joined our team, we are well placed to take advance of this growing demand and the opportunities that exist in the Canadian market.”

Phil Baker, head of Beazley Canada, adds: “Beazley is a market-leading provider of cyber liability, technology errors & omissions, and miscellaneous professional liability coverage, with a global team structured to deliver local solutions. Miki will play a pivotal role in delivering those local solutions to brokers and clients in Canada.”

Note to editors:

Beazley plc is the parent company of specialist insurance businesses with operations in Europe, the US, Canada, Latin AmericaAsia and Australia. Beazley manages six Lloyd’s syndicates and, in 2016, underwrote gross premiums worldwide of $2,195.6 million. All Lloyd’s syndicates are rated A by A.M. Best.

Beazley’s underwriters in the United States focus on writing a range of specialist insurance products. In the admitted market, coverage is provided by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in all 50 states. In the surplus lines market, coverage is provided by the Beazley syndicates at Lloyd’s.

Beazley is a market leader in many of its chosen lines, which include professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business.

For more information please go to: www.beazley.com

SOURCE Beazley

N.S. sends teen suicide expert to Cape Breton, promises new cyberbulling law

By Brett Bundale

THE CANADIAN PRESS

HALIFAX _ As a Cape Breton school board grapples with multiple teen suicides, the Nova Scotia government is sending a youth mental health expert to the grief-stricken community and promising new anti-cyberbullying legislation this fall.

Dr. Stan Kutcher, a Dalhousie University psychiatry professor, will travel to Cape Breton Monday to talk to families, schools, and the community about mental health concerns and what supports they need.

He is expected to report back to the province in the coming weeks.

The parents of a 13-year-old girl who took her own life on Father’s Day said bullying led to her death, and more needs to be done to protect other young people. They said their daughter, Madison Wilson, was subject to verbal abuse at school and through social media.

Premier Stephen McNeil said the province needs to have a broader conversation about bullying, especially online attacks.

“I can’t imagine how some of these young kids who are exposed to that are feeling,” he said Thursday. “We need to have a public conversation about what’s happening online. Our children can’t get away from it.”

McNeil said he hopes the province will engage the public in a broader conversation when it rolls out its updated anti-cyberbullying legislation.

Nova Scotia’s Cyber-Safety Act, the first law of its kind in Canada designed to protect victims of online harassment, was struck down in late 2015 after the province’s top court ruled that it infringed on Charter rights.

The law was passed in response to the death of Rehtaeh Parsons, a 17-year-old girl who was bullied and died after a suicide attempt.

Justice Minister Mark Furey said Thursday the recent suicides in Cape Breton, with at least one tied to cyberbullying, underscore the importance of the new legislation.

“We’re positioned now to introduce legislation this fall,” he said.

Furey said he hopes Kutcher, an expert on adolescent mental health, will be able to inform the province on what steps can be taken to support the community.

“Dr. Kutcher is a recognized mental health expert so his presence and participation in the discussion in Cape Breton will help the families, the school and the community deal with these tragic circumstances,” he said.

Darren Googoo, chairman of the Cape Breton Victoria Regional School Board, said this week the board is drafting a letter to the provincial Education Department with the idea of starting a dialogue on the issue.

“Our students are dealing with the trauma associated with the loss of a schoolmate and, going into the summer months, we want to make sure that we have a more co-ordinated approach with our provincial partners in health, in terms of providing services,” Googoo said.

Education Minister Zach Churchill said the province needs to “work together” to better understand the factors that contribute to teen suicides.

“We do have a collective responsibility to better understand these things, to learn from them and do our very best to improve the supports available,” he said. “We need to have an honest, open and frank conversation.”

However, it’s unclear whether additional resources, such as guidance counsellors or psychologists, will be made available.

In fact, Health Minister Randy Delorey said the province put additional resources in place for schools but it’s up to the board to decide “where exactly the resources are being allocated.”

He said questions about “how they’re choosing to spend their resources” are better directed to the school board.

However, he did admit that mental health is an area of priority for the province that requires more attention.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest