Recent Breaches – Recommended actions
With recent breaches of systems controlled by the likes of Dell, Commonwealth Bank and Marriot Hotels it is clear that organisations are not taking information security as seriously as the individual impacted by these breaches would like.
It is clear that it will be up to us the users to do the legwork on behalf of these businesses to make sure our personally identifiable information is kept as safe as possible with the following tips.
- Where possible, use garbage information.
If you see no reason why a business should have the information it is asking for, provide false information (except where providing false information is a criminal offense) or no information at all.
- Consider using a second (or third) email address to handle registrations.
You don’t need (or want) all the marketing garbage cluttering up your personal or professional inbox. A simple gmail address has heaps of storage and is simple to set up with 2 Factor Authentication (2FA) to keep it locked up tight. You will not need to access this email address all the time, only for password resets. In this case, 2FA is not only essential but less hassle if it is not your “daily driver”.
- Use a password manager to avoid re-using passwords.
One of the first things bad guys do when a user database is breached is to try a technique call credential stuffing. This is when they take a username or email address with a cracked password and they try it on all the services they can think of starting with your email account.
If you have unique passwords with 2FA, they stand very little chance and will move on to the next chump in the database that probably settled on “password1234”.
As an Australian, you are entitled to a level of privacy and reasonable access to your information kept by third parties under the Privacy Act (1988).
Business owners must evaluate the value/risk for all personal/private information they hold and when keeping information, it is important to think of security as a layered approach. This helps to reduce risk when one or multiple layers are defeated. For example, if the username/password combination is defeated, 2FA and strong salted encryption is there to prevent any useful information from leaving the business.
If this still fails to deliver results I would like to see a change in user attitudes that will send a clear message to companies that if they cannot properly protect user information then they will not have the privilege (not right) removed.
This could take shape in Australia by individuals applying to have their personal information kept by organisations disclosed and then updated to either omit or fill data with garbage reducing the impact of a future breach.
For me, this has gone on long enough and I am willing to put irresponsible custodians in time-out until they start treating our information with the respect it deserves. I understand that this is how some businesses operate but if the relationship is not working out, it is time to walk away.