Information security news roundup: Ransomware attacks, text message scams and cyber security training

In recent years, headlines about information security incidents have become increasingly common both nationally and internationally. Cyber criminals steal passwords, personal information and other sensitive data through various types of cyber attacks. Staying up to date with cyber security news and knowing how to stay safe online will help protect your personal information.

Take a look at some interesting information security related news in the recent months.

Making ransom payment no assurance of getting data back: Telus

Ransomware attacks have been making headlines almost daily around the world. According to a recent study by Telus, almost half of surveyed Canadian organizations that suffered a recent ransomware attack paid the attacker in hopes of getting their data back, however, most did not get access back to their data.

Ransomware attacks can have significant impact – in the worst cases, shutting down operations entirely and risking loss of critical information. Learn how you can protect yourself from ransomware.

Winnipeg Regional Health Authority warns public of text message scam

The Winnipeg Regional Health Authority (WRHA) reported that people are receiving text messages claiming to be from the WRHA, asking recipients to click on an e-transfer link. This scam was reported to the Canadian Centre for Cyber Security.

This form of phishing that uses fraudulent text messages is called “smishing”. Learn more about the types of scams and frauds and how to protect yourself.

Panasonic Canada acknowledges cyber attack

Japanese electronics conglomerate Panasonic has reported that its Canadian operations were struck by a cyber attack in February after ransomware-as-a-service (RaaS) gang Conti leaked its data to the dark web. The company confirmed that action was taken to address the issue with assistance from their cyber security experts and service providers.

Check out the educational resources on the Security Matters website to learn how to stay safe online.

Cyberbreach at Rideau Hall was ‘sophisticated’ intrusion, internal documents reveal

In December 2021, Rideau Hall reported a breach of internal networks in the office that supports the governor general. Now, new documents have revealed the breach was a sophisticated cyber incident, although the office was unable to confirm the extent of the information that was accessed.

Cyber breaches can lead to loss of sensitive data and reputational damage. Timely reporting of incidents can help mitigate their impact.

University of Calgary and Raytheon Canada partner to open new cybersecurity training centre

The new Canadian Cyber Assessment, Training and Experimentation Centre (CATE) will support students in building their skills in cyber security.

At U of T, building a security aware culture is critical for protecting individuals and the university against security threats. Recently, the University partnered with the Canadian Internet Registration Authority and ORION to pilot an Information Security Awareness platform as part of building a security aware culture at U of T.

For more tips on staying safe online, visit the Security Matters website.

Data privacy: A multi-faceted topic in higher education

To celebrate Data Privacy Day on Jan. 28, Information Technology Services (ITS) hosted a virtual panel event: Impact of evolving technology and privacy laws in higher education. The one-hour event opened a conversation about data privacy and protection and answered privacy questions from the University of Toronto (U of T) community.

Over 145 attendees including staff, faculty and students from the tri-campus community joined virtually to learn from legal, cybersecurity and privacy experts on how changes in technology and privacy laws impact higher education. The featured panelists were:

  • Ashley Langille, Information Privacy Analyst
  • Carlos Chalico, IT Risk and Privacy Consultant, EY & Instructor, School of Continuing Studies, U of T
  • Daniel Michaluk, Information Security and Privacy Lawyer & Partner, Borden Ladner Gervais LLP
  • Deyves Fonseca, Associate Director, Information Security Operations

The event was moderated by Rafael Eskenazi, Director, Freedom of Information and Protection of Privacy (FIPP) Office.

“The Data Privacy Day virtual panel event provided a great opportunity to engage with the U of T community, to answer their questions about privacy and to share University resources they can use to protect personal information,” said Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

Highlights from the event

DPD panel event screenshot

From left to right: Deyves Fonseca (bottom left), Daniel Michaluk (top left), Rafael Eskenazi (top right), Carlos Chalico, Ashley Langille (bottom right)

Daniel Michaluk began the session by speaking about the Freedom of Information and Protection of Privacy Act (FIPPA) and observed how there hasn’t been an adverse regulatory finding about a university’s privacy practices since FIPPA was introduced in Ontario. Michaluk explained that this can be attributed to the good work done by the universities of Ontario, so there is no historical basis for additional regulation in the sector.

“Right from the start in 2006, all the Ontario universities took FIPPA and privacy protection very seriously, and from some good work early on by the Council of Ontario Universities, there’s been a continuous dialogue in the sector about privacy,” he said.

Speaking about the University’s digital transformation, Deyves Fonseca expressed that the pandemic brought significant changes with the move of data to the cloud. He said that the move to using the cloud is going to continue and accelerate as part of U of T’s digital transformation as we prepare to go back to in-person work and learning.

Collaboration was the keyword during Carlos Chalico’s presentation. “We need to think about collaboration across organizations to minimize cyber security risks,” said Chalico. “Alliances are necessary within organizations to protect information as a business issue, not just a tech issue.”

Ashley Langille remarked that the inclusion of stricter General Data Protection Regulation (GDPR) focused language in privacy policies has created issues with informed consent, as the language in these policies often only apply to data of European Union (EU) citizens and is often misinterpreted to apply to all users. Ashley noted that inclusion of a GDPR protection in policy does not necessarily translate to FIPPA compliance.

The presentations were followed by a Q&A session which consisted of pre-submitted and live questions from the audience. Some key highlights from the Q&A session:

Raffle winners

Two attendees were randomly selected to win a $50 U of T Bookstore gift card. Congratulations to the raffle winners:

  • Bismah Khalid, On Location Accessibility Advisor, University of Toronto Accessibility Services
  • Linda Ye, Senior Auditor – Information Systems, Internal Audit Department

Visit the Security Matters website to learn more about protecting yourself online and your data.

Don’t fall for online job scams

Job offer scams are a form of phishing used to take advantage of students and new graduates who are seeking employment.

Job offer scams typically work like this—you receive an unsolicited email that invites you to apply for or start a job with a high-paying salary. In most cases, the hacker asks for various forms of information from personal information to banking information, which can be used for financial and identity theft.

This week, many members of the University of Toronto (U of T) community received a fake job offer email (image below), which asked recipients to provide personal and banking information. Let’s brush up on some of the common red flags to help you identify job offer scams:

Job scam email Jan 2022 feature image

View higher resolution image.

  • Generic emails: Hackers send mass emails in anticipation of getting responses from multiple recipients. Emails from legitimate and trusted sources will always address the recipient by name.
  • Poorly worded emails: Phishing emails can often be identified by poor grammar and spelling. Right from the subject line, this job scam email displayed these flaws. Always make sure to read the email carefully and check for spelling and grammatical mistakes, as well as awkwardly worded sentences.
  • Unsolicited emails: Most companies post job vacancies on their careers portal or legitimate job boards. One way to validate the legitimacy of a job posting is to check for the posting on the company’s official website or job boards. If you didn’t apply for the position and the person contacting you isn’t a recruiter from a reputable company or recruitment firm, the odds are it is a scam.
  • Emails from fake companies: Hackers also use advertising and job listing websites to “recruit” potential victims. Ensure that you do a search online for the company name and check if they have a legitimate physical address.
  • Emails from free email providers: Most companies have professional email addresses and do not use free email providers like Gmail. If you receive a job offer and the email address looks more like a personal email address than a business address, be suspicious.
  • The perfect job offer: If an email states extremely high compensation for a position that requires “no skills or experience, and few hours to work” and seems too good to be true, then it is likely a scam.
  • Asking for personal and financial information: While it is true that you have to provide your employer with some forms of identification and banking information before you start your job, if a company is asking you for this information before the interview or in the initial email, the job is likely a scam.

Visit the  Security Matters website for more information on identifying and reporting a phishing attempt.

New phishing email impersonating Information Technology (IT) administration

Phishing emails are designed to trick recipients into taking an action, such as clicking a malicious link or opening a malicious attachment. Hackers may also use tactics like smishing, which attempt to trick the recipients through text messages or SMS.

This week, members of the University of Toronto (U of T) community received an email impersonating U of T’s IT administration that asked recipients to respond through SMS. Please note that any technology upgrades or updates will always be communicated by your division or department through official U of T channels prior to deployment.

Sense of urgency is a big factor that hackers use to get recipients to take action. You will be able to identify and report phishing by taking a moment to review your emails for common red flags.

The image below marks the red flags to look out for:

Smishing attack with red flags

Hackers are constantly adopting new techniques to steal information, so it is imperative that we stay alert and aware to better protect ourselves online.

What to do if you receive a suspicious email

  • Review the common red flags.
  • Do not act on any of the email prompts including clicking the link, providing personal information, opening the attachment or sending SMS.
  • Forward the email to report.phishing@utoronto.ca and then delete it from your inbox.
  • If you already engaged with the email, please contact security.response@utoronto.ca  immediately for assistance.

Visit the Security Matters website for more information.

[Phish] You have got an urgent message from the University of Toronto.

Details:

Subject: You have got an urgent message from the University of Toronto.

Text:

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send “UTORONTO–UPGRADE” to *malicious phone number inserted here*

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

 

Regards
System Administrator
The University of Toronto

Five data breaches that made headlines in 2021

Data breaches and ransomware have become massive risks costing large losses to both individuals and organizations around the world. IBM reported that 2021 saw the highest average cost of a data breach in the last 17 years, with the cost rising from $3.86 million to $4.24 million USD on an annual basis.

As we prepare to recognize Data Privacy Day on Jan. 28 and raise awareness about safeguarding our personal information, let’s take a look at five data breaches that made headlines in 2021 and learn how to keep ourselves safe online:

Data of more than 500 million Facebook (Meta) users leaked online

Personal information (full names, phone numbers, locations, birth dates and more) of 533 million Facebook (Meta) users was leaked online and made available for free on a hacking forum in April 2021. The data exposed include data of users from 106 countries, including over 32 million records on users in the U.S., 11 million on users in the UK, and 6 million on users in India.

Review these information security tips to learn how to protect yourself online.

Ransomware attack against Superior Plus

In December 2021, Canadian propane distributor Superior Plus reported a ransomware attack which disrupted the company’s computer systems. The company said that theyhad to temporarily disable certain computer systems and applications while they investigated the incident.

Ransomware attacks can lead to long-term and significant damage—from loss of sensitive data to shutting down operations. Learn how you can protect yourself from ransomware.

Luxury retailer Neiman Marcus data breach impacts over 4 million customers

In September 2021, American luxury retailer Neiman Marcus reported a data breach that impacted 4.6 million customers. Though the leak took place in May 2020, it was only detected in September 2021. The leak also included the potential theft of over 3.1 million payment cards belonging to customers.

Check out this blog post to learn how to stay safe while shopping online.

Hackers access personal details of 4.5 million Air India passengers

In March 2021, India’s national airline Air India reported a cyber-attack on its data servers, which affected about 4.5 million customers around the world. The information leaked contained various forms of personal information. The airline claimed that no passwords were stolen but asked its customers to immediately change their Air India password for protection.

Strong passwords are the first line of defense in protecting your institutional data and personal information. Learn more about the importance of safe password practices.

Canada Revenue Agency (CRA) locks out taxpayer accounts after discovering use of unauthorized credentials

Last year, taxpayers were locked out of their CRA accounts for about 800,000 accounts. The CRA claimed that the credentials may have been obtained through email phishing or third-party data breaches.

In today’s age, it is of utmost importance to stay alert and protect ourselves from phishing attacks. Learn how to identify and report phishing attacks.

This article is part of a series for Data Privacy Day 2022. To learn about how evolving technology and privacy laws impact higher education, register for the virtual panel event on Jan. 28.

You’ve got a new voicemail (phishing) email!

As remote work and online classes are increasingly becoming a gateway for advanced cybercrimes, it is important that members of the University of Toronto (U of T) community stay aware of how to spot and report phishing attacks.

This week, members of the U of T community including employees, faculty and students received a voicemail-to-email phishing attack, which was successfully thwarted. The email contained an attachment with a malicious link and was marked as ‘External’ to mislead the recipient into thinking it was sent by a trusted external source.

The image below marks the red flags to look out for:

Phishing email about voicemail containing malicious attachment

Image: The email asks the recipient to click on the attachment to listen to the voicemail, which is a malicious link to a .HTM file.

If you receive an email like this or other suspicious emails, please do not click on any links or download any files from the email. Make sure to report suspicious emails to report.phishing@utoronto.ca and brush up on the common red flags so, you know what to look for.

To learn more about the recent phishing attacks and how to keep yourself safe online, visit: https://securitymatters.utoronto.ca/.

[Phish] 50141497*** Received -TSID: Powells WellCare Received on January 3, 2022, 3:22:33 PM

Details:

Subject: 50141497*** Received -TSID: Powells WellCare Received on January 3, 2022, 3:22:33 PM

Text:

New Voicemail Received.

Date received Monday, January 03, 2022
Caller Number *Malicious number inserted here*
Duration 00:00:54
Reference 1783-829-66312TD

 

To listen to this voicemail, click on the attachment in this email.*Malicious link attached as voicemail*

[Phish] You have got an urgent message from the University of Toronto.

Details:

Subject: You have got an urgent message from the University of Toronto.

Text:

Dear User,

This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send “UTORONTO–UPGRADE” to *malicious phone number inserted here*

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.

Please accept our apologies for any inconvenience this may cause.

Regards

System Administrator

The University of Toronto