Blog - Page 6 of 26 - Security MattersSecurity Matters

Five data breaches that made headlines in 2021

January 18, 2022

Data breaches and ransomware have become massive risks costing large losses to both individuals and organizations around the world. IBM reported that 2021 saw the highest average cost of a data breach in the last 17 years, with the cost rising from $3.86 million to $4.24 million USD on an annual basis.

As we prepare to recognize Data Privacy Day on Jan. 28 and raise awareness about safeguarding our personal information, let’s take a look at five data breaches that made headlines in 2021 and learn how to keep ourselves safe online:

Data of more than 500 million Facebook (Meta) users leaked online

Personal information (full names, phone numbers, locations, birth dates and more) of 533 million Facebook (Meta) users was leaked online and made available for free on a hacking forum in April 2021. The data exposed include data of users from 106 countries, including over 32 million records on users in the U.S., 11 million on users in the UK, and 6 million on users in India.

Review these information security tips to learn how to protect yourself online.

Ransomware attack against Superior Plus

In December 2021, Canadian propane distributor Superior Plus reported a ransomware attack which disrupted the company’s computer systems. The company said that theyhad to temporarily disable certain computer systems and applications while they investigated the incident.

Ransomware attacks can lead to long-term and significant damage—from loss of sensitive data to shutting down operations. Learn how you can protect yourself from ransomware.

Luxury retailer Neiman Marcus data breach impacts over 4 million customers

In September 2021, American luxury retailer Neiman Marcus reported a data breach that impacted 4.6 million customers. Though the leak took place in May 2020, it was only detected in September 2021. The leak also included the potential theft of over 3.1 million payment cards belonging to customers.

Check out this blog post to learn how to stay safe while shopping online.

Hackers access personal details of 4.5 million Air India passengers

In March 2021, India’s national airline Air India reported a cyber-attack on its data servers, which affected about 4.5 million customers around the world. The information leaked contained various forms of personal information. The airline claimed that no passwords were stolen but asked its customers to immediately change their Air India password for protection.

Strong passwords are the first line of defense in protecting your institutional data and personal information. Learn more about the importance of safe password practices.

Canada Revenue Agency (CRA) locks out taxpayer accounts after discovering use of unauthorized credentials

Last year, taxpayers were locked out of their CRA accounts for about 800,000 accounts. The CRA claimed that the credentials may have been obtained through email phishing or third-party data breaches.

In today’s age, it is of utmost importance to stay alert and protect ourselves from phishing attacks. Learn how to identify and report phishing attacks.

This article is part of a series for Data Privacy Day 2022. To learn about how evolving technology and privacy laws impact higher education, register for the virtual panel event on Jan. 28.

Join us to celebrate Data Privacy Day on Jan. 28!

January 11, 2022

Data Privacy Day, celebrated on Jan. 28 each year, is an international campaign that empowers individuals and institutions to respect privacy and safeguard information.

On Jan. 28, University of Toronto’s (U of T) Information Technology Services (ITS) division is hosting a virtual panel event: Impact of evolving technology and privacy laws in higher education.

In this one-hour virtual panel, you will hear from subject matter experts from legal, cyber security and privacy sectors and have the opportunity to ask questions in a live Q&A session.

Speakers:

Ashley Langille, Information Privacy Analyst, U of T
Carlos Chalico, IT Risk and Privacy Consultant, EY & Instructor, School of Continuing Studies, U of T
Daniel Michaluk, Information Security and Privacy Lawyer & Partner, Borden Ladner Gervais LLP
Deyves Fonseca, Associate Director, Information Security Operations, U of T

Moderator: Rafael Eskenazi, Director, Freedom of Information and Protection of Privacy Office, U of T

All U of T students, staff and faculty are welcome to attend.

Learn how to protect your data

As the line between our physical and virtual lives diminish, Data Privacy Day acts as a reminder to make safeguarding our personal information a priority. Let’s work together to build, practice and promote safe data privacy practices.

Visit the Security Matters website throughout the month of January to learn how to protect your information.

Join the conversation on social media:

Data Privacy Day hashtags:

#PrivacyAware
#DataPrivacyDay2022
#DPD2022
#InfoSec
#PrivacyAwareness

View more Data Privacy Day 2022 promotional resources.

You’ve got a new voicemail (phishing) email!

January 6, 2022

As remote work and online classes are increasingly becoming a gateway for advanced cybercrimes, it is important that members of the University of Toronto (U of T) community stay aware of how to spot and report phishing attacks.

This week, members of the U of T community including employees, faculty and students received a voicemail-to-email phishing attack, which was successfully thwarted. The email contained an attachment with a malicious link and was marked as ‘External’ to mislead the recipient into thinking it was sent by a trusted external source.

The image below marks the red flags to look out for:

Image: The email asks the recipient to click on the attachment to listen to the voicemail, which is a malicious link to a .HTM file.

If you receive an email like this or other suspicious emails, please do not click on any links or download any files from the email. Make sure to report suspicious emails to report.phishing@utoronto.ca and brush up on the common red flags so, you know what to look for.

To learn more about the recent phishing attacks and how to keep yourself safe online, visit: https://securitymatters.utoronto.ca/.

[Phish] 50141497*** Received -TSID: Powells WellCare Received on January 3, 2022, 3:22:33 PM

January 4, 2022

Details:

Subject: 50141497*** Received -TSID: Powells WellCare Received on January 3, 2022, 3:22:33 PM

Text:

New Voicemail Received.

Date received	Monday, January 03, 2022
Caller Number	*Malicious number inserted here*
Duration	00:00:54
Reference	1783-829-66312TD

To listen to this voicemail, click on the attachment in this email.*Malicious link attached as voicemail*

Mark your calendar for Data Privacy Day 2022!

December 10, 2021

Data Privacy Day is celebrated worldwide every year on Jan. 28 to raise awareness about technology and privacy rights, including the importance of safeguarding our personal information.

The Information Technology Services (ITS) division is leading a Data Privacy Day 2022 campaign to raise awareness and educate the University of Toronto (U of T) tri-campus community on safe data privacy practices. The campaign will consist of resource sharing, educational blog posts and a virtual panel event featuring subject matter experts who will share their perspectives on how changes in technology and privacy laws impact higher education.

Stay tuned for more updates about Data Privacy Day 2022.

Building a security-aware culture

December 6, 2021

The University of Toronto (U of T) has partnered with Canadian Internet Registration Authority and ORION to pilot a Information Security Awareness Training platform for delivering information security awareness courses.

“The Information Security Awareness Training pilot is part of our larger efforts to build a security-aware culture across the University and equip staff, faculty and students with the knowledge needed to protect themselves and the University against security threats,” says Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

The training pilot was launched on Nov. 24 and is expected to run until February 2022. The participants will be given access to a training platform meant to provide general security awareness training to end-users with varying levels of security knowledge. The goal of the pilot is to collect participant feedback on the quality and value of the courses and to test the viability of the platform.

Approximately 150 faculty and staff members from various divisions within the tri-campus community are participating in the pilot. Their feedback and input will help guide decisions and plans to provide security training to the wider U of T community.

Stay tuned for further updates about the training pilot.

Cyber Security Awareness Month 2021 recap: Staying secure together

November 30, 2021

Believing that cyber security is a shared responsibility, the University of Toronto (U of T) community celebrated another Cyber Security Awareness Month (CSAM) this October. CSAM is an internationally recognized annual campaign that aims to educate individuals and institutions about the ever-changing field of cyber security and encourage best security practices.

For CSAM’s 10th anniversary, ITS’s Information Security team, in partnership with Education, Awareness & Culture (EAC), developed a CSAM campaign focusing on how the community can work together to stay safe online and protect personal and institutional information. Celebrated virtually for the second year in a row, the campaign included two virtual Coffee with the Chief Information Security Officer (CISO) events, a Secure Together virtual panel, multiple educational blog posts and an engaging social media contest.

“CSAM helps us educate the U of T community about information security and what we all can do to protect ourselves and the University against security threats,” says Kalyani Khati, Associate Director, Information Security Strategic Initiatives. “One of the key objectives of this year’s campaign was to spread awareness about the security resources and capabilities that are available to the U of T community, including data classification schema, Information Security Standard, incident response plan and multi-factor authentication.”

Throughout the month, informative blog posts with topics ranging from the importance of enabling multi-factor authentication (MFA) to promoting the Information Security Incident Response Plan were published on the Security Matters website, in addition to our campaign and resources pages, garnering a total of 746 page views over the month.

CSAM-related content on the Security Matters website saw a 10 per cent increase in page views from last year’s campaign.

On the ITS Twitter account, CSAM content engagement (clicks, retweets, replies, follows and likes) increased by 106 per cent from the 2020 campaign. The CyberAware Twitter account also saw a 69 per cent increase in CSAM content engagement from last year.

Coffee with the CISO events

The Coffee with the CISO student session helped 11 U of T students learn more about the current outlook of cyber security at U of T and included meaningful insights from Isaac Straley, looking back on his career in the field. During the event, Isaac Straley, CISO, U of T said, “Fraud and phishing pose a significant threat to the University community. We are working with the community to address this risk by not only enhancing our security capabilities but also equipping community members with the knowledge they need to protect themselves.”

The second Coffee with the CISO event welcomed 18 attendees and allowed U of T faculty and staff to engage with Isaac Straley about what cyber security looks like today in comparison to the past ten years and discuss what it will look like in the future. Straley encouraged an open and informal two-way conversation which allowed for an engaging and informative session.

The post-event survey concluded that attendees found these sessions very relevant and engaging. Most notably, the Q&A segment, two-way conversation and information about the security program were appreciated.

Secure Together virtual panel

On Oct. 26, the Secure Together virtual panel welcomed 49 attendees from across the tri-campus community. The panel featured three experts in information security and workforce infrastructures, nation state threats and governmental policy. The hour-long event started with key presentations from the panelists: Abdullah Alagha, Cyber Security Instructor, U of T; Ron Deibert, Director, the Citizen Lab and Julia Le, Senior Manager, Cyber Security Education & Centre of Excellence, Ontario Government.

Speaking about the cyber security workforce, Abdullah Alagha attributed the shortage of jobs to three main reasons: technology is getting more complex, people are finding it difficult to keep up with the ongoing changes and education and it is becoming increasingly difficult to control environments with all the required processes.

In his presentation about the latest high-end threats in cyber espionage, Ron Deibert spoke about embracing a culture of digital hygiene. He expressed that every organization should think about security from the ground up rather than leaving it as an after-thought.

During Julia Le’s session about how cyber-crime impacts us on a human level, she said, “Cyber security is not only about the technology, but also the ‘human factor’. Organizations and people should focus on educating people, as small actions online can have meaningful impacts.”

The panel was followed by an engaging Q&A session, during which they suggested valuable information security tips such as keeping software up to date, using anti-virus software and utilizing tools like Citizen Lab’s Security Planner to keep ourselves secure online.

Though CSAM 2021 has ended, it is our shared responsibility to stay safe and secure online every day. We hope the information shared throughout October keeps you cyber smart at home and at work, year-round.

Visit our 2021 CSAM resources page to learn how to protect yourself and your information. Continue to visit the Security Matters website for more cyber security related resources.

‘Tis the season to shop safe online

November 26, 2021

The holiday season is a lucrative time for online retailers and a vulnerable time for online shoppers. As many people take advantage of holiday deals and shop online, hackers take advantage of this time of the year to steal sensitive and confidential information.

With the increased number of phishing attacks in recent weeks, it’s important to stay aware and practice good cyber security during the holiday season. Here are five simple steps to protect your information and shop online safely:

Look out for suspicious emails

With the high volume of holiday messages, newsletters, sales and other emails landing in your inbox, ensure that you only open emails from known and trusted senders. Don’t click on unknown links, download attachments or reply to unsolicited emails from unfamiliar senders.

Secure your login

If an online retailer requires that you create an account for purchases, create a strong password and use multi-factor authentication (MFA) when possible. Ensure that your password is unique from other passwords. The more unique passwords you have, the more difficult it will be for your accounts to be hacked. MFA will enhance security on your online accounts by enabling stronger authentication tools like a one-time code sent to your phone.

Think before you click

Be wary of clicking links from unfamiliar websites, particularly the ones that give away discounts that seem too good to be true. If you receive an enticing offer through email or text, do not engage. Visit the company’s official website or app to verify the legitimacy of the offer. Beware of smishing (SMS phishing) messages offering deals and discounts, even from brands you think you’re subscribed to as they could be fraudulent. If you receive an SMS from an unknown phone number, do not engage.

Don’t save your payment information online

When making an online purchase, pay attention to the information being requested to complete your purchase. Remember that you only need to fill out required fields while checking out. Online retailers are one of the biggest targets for hackers, and saving your credit card details on a retailer’s website could compromise your information in the event of a data breach.

Monitor your online activity

Check your online accounts and banking statements regularly for any suspicious activity. You can also set up alerts for your debit or credit cards to monitor suspicious activity.

Check out more tips you can follow to shop online securely this holiday season.

For more information on cyber security, please visit https://securitymatters.utoronto.ca/.

Safe shopping!

[Phish] You have got an urgent message from the University of Toronto.

November 25, 2021

Details:

Subject: You have got an urgent message from the University of Toronto.

Text:

Dear User,

This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send “UTORONTO–UPGRADE” to *malicious phone number inserted here*

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.

Please accept our apologies for any inconvenience this may cause.

Regards

System Administrator

The University of Toronto

New wave of phishing attacks

November 23, 2021

Access to a diverse range of data from sensitive personal information to confidential research data, has made the University of Toronto (U of T) a popular target for various cyber-threats including phishing.

Last week, more phishing attempts were reported as targeting the U of T community. The rising occurrence of phishing campaigns should serve as a reminder to stay aware and learn how to identify and report phishing.

Job scam emails

Job scam emails are crafted with the intent of gaining access to personal or institutional information. They are usually unsolicited and masquerade as employment offers to captivate the recipients’ interest. Often, hackers pretend to be from a well-known and legitimate company to convince recipients to respond to their email. These emails usually prompt recipients to reply to the message, click on a malicious link or download an attachment.

Unsolicited emails with employment offers that seem too good to be true should be treated with suspicion. Legitimate companies typically post vacancies with detailed job descriptions and department information on their official website or a trusted job search website. Qualified candidates are then contacted for interviews via official channels of communication.

Below are the two job scam emails that were sent to U of T community members. Review the emails to identify some of the red flags:

Image 1: This phishing email impersonates a U of T staff member and contains a malicious link.

Image 2: This phishing email impersonates a U of T staff member and contains a malicious phone number to respond.

The second email takes a more sophisticated approach as it attempts to get the recipient to respond through a text message. This is called smishing, a type of social engineering where cyber criminals attempt to trick the recipients through text messages. Like phishing, smishing depends on tricking recipients into co-operating by texting or providing personal information.

Spoofing and spear phishing

Email spoofing is a technique hackers use to make phishing emails appear to be from a trusted and legitimate source. For example, the email below (image 4) appears to be sent from Microsoft, however, it includes an urgent prompt to click on a malicious link leading to a spoofed login page. Hackers attempt to mislead recipients into providing their username, password and other important information.

Sometimes, hackers target an individual or a small group within an institution. These emails often address the recipient by name and include personalized language. This is called spear phishing and can be hard to spot without close inspection.

Review the emails below to identify the red flags:

Image 3: This phishing email tries to trick the recipient into thinking they have a voicemail, which is a malicious attachment.

Image 4: This phishing email mimics a system-generated password expiration email from Microsoft and contains a malicious link.

Please note that any information about technology upgrades or updates will always be communicated by your division or department through official U of T communication channels.

Phishing continues to be one of the most prevalent forms of social engineering. For more information about protecting yourself online, please visit https://securitymatters.utoronto.ca/.