The Ontario Science Centre recently reported an interesting data breach. According to the news, they use a third-party service called Campaigner to distribute their newsletter and other communications to subscribers. In August of this year the Science Centre was notified by Campaigner that a data breach had occurred with their subscriber list.
The Science Centre says that a Campaigner investigation revealed that a former employee’s credentials were used to access and download the subscriber list. Campaigner immediately discontinued the use of the credentials and implemented further measures to prevent a similar issue from happening in the future.
Based on a quick overview – you might imagine:
• “Oh yeh – another breach of a huge organization … nothing new…”
• “Big deal – just names and email addresses, no other personal or financial information was breached”.
• “Doesn’t affect me.”
Some things to think about:
1. Was Campaigner using shared credentials and didn’t change them after an employee left? Why would they say they “immediately discontinued the use of the credentials” shouldn’t they have already been deactivated if they belonged to someone didn’t work there anymore? If they were sharing credentials and forgot to change or deactivate them when an employee left, they’re not alone (sadly). Do you share any credentials among users at your company? It is pretty common. How do you manage the security around those shared credentials and/or former employees?
2. It may not have been a former employee. The credentials may have been exposed somewhere else and then sold on the dark web – and then could be used by a cybercriminal to access the Science Centre’s information.
3. Despite the limited scope of the breach, this information can still be very valuable in the hands of cybercriminals, and access to this database may only be the tip of the iceberg. Those who are impacted should be looking at identity and credit monitoring to help stay protected.
4. What other websites and applications used by the Science Centre might those same credentials access and are these sites/app now at risk of unauthorized access?
5. How many “third-party” applications does your business use and how are you managing the security of current and past employees on all those applications and cloud portals?
6. Do your employees ever use their business network email address and passwords to create accounts online (even personal ones like facebook etc)? If they did, and one of those sites was breached, and that information was exposed, would that put your business at risk somehow?
We have traditionally thought, “my computer is secure”. But the landscape of risk has changed dramatically – moving beyond the box of our office or personal computer. Today, your employees’ personal cloud accounts may be putting your “computer” at risk. Businesses need to think outside the traditional box when it comes to modern security hygiene.
What can you do? Here are three suggestions for your business:
1. Train employees in security awareness and security hygiene.
2. Subscribe to Dark Web Monitoring services.
3. Subscribe to a business grade password manager application.
Want to find out more about how to start? Contact us and we will be happy to talk about possible next steps.