What Regulators Need to Know About Credential Security
At Thentia, we understand how important data security is for regulatory organizations. Our mission is to provide the most efficient, cost-effective technology for regulators around the world, and an integral part of this is ensuring that sensitive information and personal is protected. As Thentia is strongly concerned with ongoing information security issues, we have been closely monitoring the recent wave of cyberattacks that targeted information from Canada Revenue Agency accounts and from other GCKey services. These attacks emphasize the importance of Thentia’s mission to provide unsurpassed information security for regulators.
What was hacked?
The federal government has said that over 11,000 Canadian accounts were exploited, including over 5,500 CRA accounts. The hackers were trying to apply for emergency benefits using the accounts of their victims. As harmful as these attacks were, the method that the hackers used was not as complicated as one might assume. These attacks are a wake-up call: keeping online accounts safe from attacks must be a top priority for service providers and users alike.
What is Credential Stuffing?
According to the government of Canada, the hackers used a surprisingly simple tactic known as “credential stuffing”. Credential stuffing is when hackers re-use passwords from a previous attack on different user accounts. Credential stuffing is simple to perform, which is why it is a favoured tactic for hackers. Reusing a single password for multiple accounts makes most of your personal information extremely vulnerable. It is like a domino effect: if hackers can steal access to one account hosted at a company that has weaker security because they handle lower risk information, they can then gain access to several, higher value targets such as your bank or the bank you access for your employer. While it can feel tedious to create several complicated passwords, it is very important to do so, especially since cyberattacks have increased this year.
When COVID-19 pandemic swept through the world, people have become reliant on online services to pay bills, apply for benefits, stay in contact with friends and family, and to work remotely. This did not go unnoticed by cybercriminals. This April, the popular videoconferencing platform Zoom had half a million accounts and passwords stolen. When hackers have a password for a service like Zoom, they can use credential stuffing to hack into more sensitive information, like banking accounts.
Why are Regulators at Risk?
According to the FBI, the methods that hackers are using includes “online purchase of stolen Personal Identifiable Information, previous data breaches, computer intrusions” as well as the “theft of data from individuals or third parties, and from public websites and social media accounts”. Regulators frequently handle a vast amount of sensitive information, which ranges from personal medical information, financial information, private information about clients and employees and the like. If information like this was compromised by hackers, it could lead to identity theft, significant financial losses, and considerable damage to the reputation of regulators.
Simple ways to protect your data
Now more than ever, it is essential to create unique passwords for every single account. On the user end, there are a number of tactics you can use to defend your personal information online.
- When you are creating a new account and the website has a feature that ranks the strength of your password, always make sure your password is ranked medium or higher. Do not use a password that is ranked as “weak”.
- Never use the same password twice. Your social media, email, banking, and government services passwords should all be different.
- Always use a combination of lower and upper case letters, numbers, and special characters. Using different characters in the same password greatly increases its security.
- If an online application or service that you use gets hacked, change your password even if your account wasn’t directly affected. Cyberattacks can afflict the same site repeatedly.
- Avoid cliched passwords: using “password”, “wordpass”, “qwerty”, “1234”, or “abcd…” is not a good idea.
- If you can’t easily remember your passwords, store them on an encrypted app, or on a password-protected external hard drive or USB port.
The right service provider makes all the difference
While these actions can keep your passwords and personal information safe, they can only go so far to protect what matters most. This is where the burden comes back to service providers. User information, from passwords to personal financial data, is only as safe as the system and business leadership committed to protecting it. If a service provider doesn’t have reasonable and appropriate security measures including robust password encryption, they will be leaving valuable information vulnerable to attacks.
Thentia has made it a top priority to protect the information of our clients. Thentia Cloud is guarded by ISO 27001 certified security and SOC Type 2 compliant data centres. It is regularly penetration tested to find and eliminate potential attack points. In order to be the best in information security, Thentia has recently hired Steve Genders as Director of Information Security and Risk Management. Genders is a highly skilled expert in information and cloud security, with over two decades of experience in deploying and improving modern security technologies to protect customers. With Genders in charge of information security, Thentia will ensure that our clients sensitive data will be guarded with the highest standards of safety.
If you want to know more about Thentia Cloud and its industry-leading security measures, feel free to schedule a demo with us.
Based in Toronto, Canada, Thentia is an industry leader in using proprietary technology to help regulatory bodies efficiently fulfill their regulatory obligations. Thentia services a wide variety of clients throughout Canada and the United States using cutting-edge software and industry-leading expertise in regulatory standards.