Protect your privacy — Data Privacy Day tip sheet

In today’s remote landscape, we can all benefit from incorporating small cyber security practices into our daily lives. Understanding how to keep your work and personal information safe from malicious hackers is crucial to keeping ourselves and our devices secure.

Take the Data Privacy Day challenge — review and take these three steps to protect your privacy as we work and learn from home:

Data Privacy Day 2021 - Take the Data Privacy Day Challenge

Download the Tip Sheet as a PDF.

For more tips on online safety, visit the Remote Security Matters webpage.

2020’s biggest data breaches and lessons learned

This Jan. 28, 2021 marks 30 years since the signing of Convention 108, the first legally-binding treaty to address data privacy and protection for individuals. Since then, there has been exponential development in information security and how we protect ourselves.

The treaty and this ongoing growth are the reasons we celebrate Data Privacy Day internationally each year — to highlight the value and trends in data privacy.

Here are five big data breaches that made the news in 2020 and lessons learned:

Estée Lauder database exposed

In January 2020, more than 440 million database records belonging to Estée Lauder were exposed. The database reportedly housed internal documents, sales data, IP addresses and email addresses. Read this article to learn more about the Estée Lauder breach.

Takeaway: Though this case was not consumer-facing, it’s important to know that large companies get hacked too. Once hackers gain access to your information, you are more susceptible to cyber threats in the future. Review these University of Toronto (U of T) information security tips to learn how to protect yourself against personal attacks.

Nintendo user accounts compromised

In April 2020, 300,000 Nintendo user accounts were compromised due to a cyber attack. Hackers used the stolen account information, including passwords, birthdates and email addresses, to purchase digital items. As a response to the attack, Nintendo altered its Network ID (NNID) login method and advised users to enable multi-factor authentication (MFA). Read this article to learn more about the NNID breach.

Takeaway: Enabling MFA offers an extra layer of protection to accounts and data. It is good practice to enable MFA where possible to avoid these types of attempts. Read this article about U of T’s MFA service called UTORMFA.

Thousands of Zoom accounts stolen

In April 2020, criminals gained access to more than 530,000 Zoom user accounts and listed them for sale on the dark web. They accessed details such as passwords, email addresses, host keys and personal meeting URLs. Read this article to learn more about the Zoom breach.

Takeaway: Cyber criminals take advantage of trends. Since most of the world switched to online learning and working in March, Zoom accounts were strategic targets. Cases like this are a reminder to use different passwords for different accounts so that if one of your accounts is hacked others may still be protected. Read this article for U of T’s tips on password best practices.

Hackers access EasyJet customer personal information

In May 2020, a “highly-sophisticated” malicious actor gained access to the personal data of nine million EasyJet customers. This included email addresses, names and travel records. An additional 2,200 customer files were accessed, which included customers’ credit card information. Read this article to learn more about the EasyJet data breach.

Takeaway: These customers are likely to face phishing attempts in the future based on the information the hackers now have. Educate yourself on what phishing attempts look like and how to deal with them, here.

SolarWinds Orion breach triggers White House security meetings

Throughout 2020, there were ongoing threats and reactions to the SolarWinds cyber-espionage campaign, which began in September 2019. The breach targeted numerous government agencies and private organizations including the world’s leading cyber security firm, FireEye. Read this article to see a timeline of the SolarWinds hack.

Takeaway: Anyone, even cyber security firms and the State, can get hacked. Review U of T’s Information Security-approved tips for working securely online, here.

Cyber security news roundup: A widespread malware threat, ransomware attacks and phishing scams

In an increasingly digital world, cyber security issues are an inevitable (and ever-growing) part of the landscape. As a result of COVID-19’s increased effect on security breaches, this continues to be a hot topic in local, national and international news coverage. Here is a brief roundup of some of the most interesting recent news items from the past month.

Cyber security attack targets Saskatchewan Polytechnic

Saskatchewan Polytechnic fell victim to a cyber attack on Nov. 1. Though the specific type of attack has not been disclosed to the public, the school is reported to be making progress on safely restoring systems, after all online and in-person classes were cancelled until Nov. 4.

Takeaway: Cyber attacks are common and can happen to anyone. A simple tip to help protect yourself is to update your passwords often and use different passwords for all your accounts. By doing this, if one of your passwords gets compromised, your other accounts will still be safe. Learn more about password best practices.

Phishing scam reported at Waterloo University

The University of Waterloo reported a phishing scam on Oct. 26, which took the form of a convincing email, targeting university faculty, staff and students. Recipients were told they could receive $2,000 for COVID-19 support by filling out a form.

Takeaway: Educate yourself on phishing red flags. Some tips include hovering over links to view the link address, looking for typos or bad grammar and reaching out to the contact directly to confirm the details in the email.

Cybercrime threat to U.S. hospitals and healthcare providers

KrebsOnSecurity received a tip that a well-known Russian cybercriminal gang, Ryuk, was preparing to disrupt information technology systems at hospitals, clinics and medical care facilities across the United States. While there have only been a handful of attacks so far, the malware seems to be targeted against Windows systems, but there are some indications that it may also impact other platforms like Linux.

Takeaway: University staff and faculty are urged to be on alert and continue efforts around applying regular patches as needed. Managing vulnerabilities on your environment is a one of the best practices against the ever-evolving threat landscape. Review this tip sheet from the Canadian Centre for Cyber Security.

Cyber attack hits Jewish General’s IT network

The Jewish General Hospital and other institutions in Montreal’s west end fell victim to a computer virus that attacked their information technology systems on Oct. 28. In response, access to networks were quickly suspended, which limited access to patient records and data. Since the intrusion was spotted early, no data was accessed and no ransom demand was made.

Takeaway: Ransomware is typically spread via spam or phishing emails, exploitation of software vulnerabilities or remote admin (e.g., remote desktop protocol) connections that are accessible from the internet. Learn more about ransomware and how to protect yourself.

Montreal public transport agency refuses to pay ransomware hackers

A ransomware attack targeted Société de transport de Montréal’s (STM) servers and asked for $2.8 million as ransom, which the agency is refusing to pay. The attack impacted 624 operationally sensitive servers and stopped STM from providing adapted transit for almost one week.

Takeaway: While there is no way to fully prevent ransomware, there are a number of steps you can take to minimize your risk, including providing security awareness training for employees, patching operating systems and third-party apps, performing frequent back-ups and more.

 

For more tips on staying safe online, visit the Remote Security Matters webpage.

Shop securely this holiday season

As technology advances and the current pandemic forces a virtual approach to everyday tasks, online shopping is becoming a more accessible and common method of purchasing gifts and everyday items. This societal shift has caused an uptick in social engineering attacks as hackers take advantage of this reliance on our devices. In addition, hackers historically anticipate the influx of online shoppers during the holiday season, which puts our personal and financial information at an even greater risk.

Before loading up your virtual shopping cart, read through this list to ensure you are protecting your information by following cyber security best practices:

Do your research

Shop with reputable vendors and/or ones that you are familiar with. If you come across special holiday deals that seem too good to be true – and if the website isn’t familiar to you – do your research before moving forward with your purchase. The Better Business Bureau helps identify trustworthy businesses and provides direct links to their online retail sites.

Look for the lock

Don’t input any sensitive (personal or financial) information unless the webpage URL begins with https and shows the lock icon. These will indicate that you are working within a secure network and that it is safe to input your data. When possible, default to giving up as little personal data as possible. Even large companies’ websites get breached all the time.

Be skeptical

Phishing attacks are becoming more advanced and more common as a result of the pandemic. Be skeptical of any email that asks you to confirm personal or financial information, even if it references a specific recent purchase. If you suspect a phishing attempt, review these steps and report it.

Wi-Fi or VPN

Public Wi-Fi connections make it easier for hackers to intercept insecure transactions as they are being transmitted. Play it safe by connecting to a password-protected Wi-Fi that you trust before inputting any personal information.

If you need to use public Wi-Fi to make a purchase, connect to a virtual private network (VPN), which creates an encrypted tunnel between your computer and the server, so hackers won’t be able to intercept your personal information.

Create strong passwords

When an online retailer requires you to create an account to make a purchase, make sure to create a strong password. This includes making it unique from any of your other passwords. Click here for more password tips.

Opt for credit

Once you make it to the payment page, best practice is to use a credit card instead of debit. Most credit card companies have protections in place to save you from fraudulent charges, plus the money is not automatically drawn from your account. In either case, it is also best to check your bank statement to ensure there are no discrepancies.

Safe shopping!

CSAM 2020 recap: U of T community engages in virtual events and activities

Throughout the month of October, hundreds of University of Toronto (U of T) staff, students and faculty sharpened their knowledge of remote security by participating in U of T’s virtual Cyber Security Awareness Month (CSAM) events and activities.

CSAM, an internationally recognized initiative, is hosted annually at U of T by ITS’ Information Security (IS) team in partnership with Education, Awareness & Culture.

One hundred and four tri-campus community members attended U of T CSAM events, including two Coffee with the CISO sessions and a “Get to know your Information Security team” webinar panel. Additionally, U of T’s Mississauga and Scarborough Information and Instructional Technology Services (IITS) teams hosted U of T’s first virtual information security conference called Secure Together, featuring 49 presenters, each speaking on an aspect of privacy and security. If you missed it, you can watch the conference here.

The CSAM 2020 events and programs highlighted the many Information Security programs available to the U of T community. On Oct. 28, a launch event was held for the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) program, which featured presentations from Information Security and Data Governance staff who provided an overview of the program and offered information on how and why to enrol.

“CSAM is a great opportunity to enhance awareness and educate our community on the daily routines and precautions we can perform to protect ourselves and our data.” says Deyves Fonseca, associate director, Information Security Operations, ITS. “I was happy to take part in this year’s campaign to help relay these important messages and remind our tri-campus community about the available programs that help keep us safe.”

Throughout the month-long campaign, 12 educational blog posts were published and viewed by 890 readers and 34 Twitter posts received 647 engagements. These communications ranged from highlighting secure remote teaching resources to outlining U of T’s new multi-factor authentication service, UTORMFA.

The U of T community was also encouraged to test their security and privacy knowledge in activities, including weekly CSAM Trivia and a new UTORMFA BINGO game. The participants of both games were entered into raffles to win Amazon gift cards.

  • The CSAM Trivia 2020 winners are Seth Akira Feldman, Mahnoor Mukhtar and Tara Wells
  • The UTORMFA BINGO winner will be announced shortly.

Though the campaign has come to an end, we should not let down our guard when it comes to remote security. Continue to visit the Security Matters website regularly for resources. Plus, review links to all the CSAM 2020 materials here:

Coffee with the CISO — student session

University of Toronto (U of T) students are invited to meet and have a conversation with U of T’s Chief Information Security Officer (CISO), Isaac Straley, at a virtual Coffee with the CISO event.

Straley joined U of T in 2018 and he holds the inaugural appointment of CISO at the University. As the CISO, he is responsible for providing strategic leadership and oversight of U of T’s information security and privacy programs. He leads senior technology managers and staff on securing University systems and data assets and implementing practices that meet U of T’s policies and standards for information security. In addition, the CISO identifies, evaluates and reports information security risks to the chief information officer.

Attendees will join Isaac Straley for an engaging conversation — discussing his role as CISO, careers in Information Security and how data privacy and security relates to our higher education environment. Come prepared with topics or questions that interest you, as these sessions are open conversations between Isaac and the attendees.

Date: Nov. 12, 2020
Time: 10:30 – 11:30 a.m.
Register*: https://its.eve.utoronto.ca/home/events/1025

*Spaces are limited

Microsoft Teams users: watch for impersonation phishing attack

Microsoft (MS) Teams users should be weary of an impersonation phishing attack that is currently circulating. The attack mimics message notifications from the popular communication platform in order to steal Office 365 credentials from unsuspecting users.

The phishing email is usually sent from the display name, “There’s new activity in Teams,” which gives the appearance of a legitimate automated notification from the MS Teams platform. The email falsely notifies the recipient that they have unread messages and prompts them to respond by clicking on the “Reply in Teams” button embedded in the email.

The user is then taken to a fake Microsoft login page where they are prompted to enter their credentials before being able to view the message. These fake Microsoft login pages are said to be well-crafted and therefore very convincing to the end user. Some have even been reported to contain the name “microsftteams” in the URL.

Users can protect themselves from this attack by:

  • Not clicking on link/button in the email if you are unsure. Instead, go directly to the MS Teams app, or log into Teams via your web browser, to read any messages. If the message in the app or browser does not replicate the message notification received by email, then it is highly likely the email was a phishing attempt.
  • Ensuring multi-factor authentication (MFA) is set up for their Office 365 account; for University of Toronto faculty and staff, this is UTORMFA. For more information on how to set up UTORMFA, please visit: https://isea.utoronto.ca/services/utormfa/.

If you suspect you have received a phishing email like the one described here, please report it to report.phishing@utoronto.ca.

Refresh your security practices with ITS’ resource collection

The University of Toronto (U of T) community has access to a variety of resources and educational materials on the topic of cyber security. Staff, faculty and students are encouraged to use these resources to help spread awareness and educate themselves on cyber security best practices for their workspace (at home or in the office), classroom or academic space.

Interested parties can access this collection of digital materials on the Security Matters Resource page to download quick facts, tip sheets, PowerPoint templates and other shareable, printable materials. Included in this collection are Cyber Security Awareness Month (CSAM) 2020 resources from U of T and the Ministry of Government and Consumer Services.

The growing resource collection covers fundamental cyber security best practices such as:

  • Best practices for keeping your devices secure
  • Safe account and password management
  • Phishing and identity theft awareness
  • Managing your digital footprint
  • Setting up your social media privacy settings
  • Maintaining a secure digital and physical workspace
  • Securing your data while travelling

Browse through the defined sections in the navigation tab for specific resources:

Click here to access resources.

For more information on how you can incorporate these resources into your personal and work life, find us at securitymatters.utoronto.ca.