Canada’s office of the Privacy Commissioner (OPC) is taking steps to try to prevent security breaches that involve the use of valid usernames and passwords. The OPC is urging individuals to stop reusing passwords, and advising businesses to require employees to reset passwords. This is an attempt to curb a recent trend involving security breaches of this type.
In recent months, the OPC has received several breach reports from companies that suspect their systems were accessed by individuals using valid customer or employee login data. It’s believed the criminals had obtained the data from previous, unrelated breaches that resulted in username and password combinations being published online.
“There’s a simple way for individuals to prevent these types of password reuse breaches: Don’t reuse passwords,” Commissioner Daniel Therrien says.
“Businesses also have a role to play. They should require employees to change their work passwords if they’ve ever used the same one elsewhere. Companies should also remember that an employee’s password should not be their only line of defense against online intruders.”
Other precautions, such as multifactor authentication for those accessing company servers remotely and monitoring for unusual employee login behaviour are also important, he says.
Besides not using the same password for different websites, accounts and devices, individuals and employees are also reminded to consider several best practices when selecting passwords:
- Avoid obvious choices such as mother’s maiden name, child’s name, pet’s name or any reference someone may be able to guess through information you have posted elsewhere;
- Make them eight or more characters;
- Use a combination of letters, numbers and symbols;
- If you need to write them down to remember them, keep them offline in a secret, secure, locked place.
The OPC has also prepared a new tip sheet for businesses to help them mitigate the risk of password reuse.
The Office has also had discussions with the Retail Council of Canada, which is also working to increase awareness of the issue.
“We know that businesses have systems in place to monitor unusual online activity to protect the privacy of their customers, and these recent incidents are an important reminder of the risks that exist and the need for constant vigilance. It also highlights the need for Canadians to take appropriate steps to protect themselves from fraud and to protect their personal information,” says Caroline Hubberstey, Senior Vice President, communications and member relations at the Retail Council of Canada.
The companies that have recently reported breaches involving password reuse attacks to the OPC have notified affected customers. All ar
e working cooperatively with the OPC as they determine the details of what occurred and how best to mitigate the situation.