How data breaches cause harm even if no financial info is stolen

A recent data breach at an Ontario college highlights the importance of educating clients on cybersecurity, even if no financial information was exposed.

“Even having your name, address and date of birth stolen can still cause problems,” Don Duncan, security engineer for Vancouver-based NuData Security, said Tuesday. “Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.”

Duncan said protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practices can help organizations detect and mitigate damage after a breach.

Organizations should implement multi-layered intelligence to authenticate users, so that stolen personally identifiable information is not enough to access an account. These solutions evaluate a user’s behaviour to give a “true insight into who is behind the device,” Duncan said, “and provide high accuracy on whether it is the consumer or a cybercriminal using consumers’ correct credentials. Recognizing users’ online behaviour, instead of basing a decision on a password, means that bad actors can’t use the stolen credentials to open an account, making leaked credentials valueless.”

On Monday, Ontario’s Algonquin College provided an update on a May 16 incident involving the “unauthorized and illegal access by hackers on one server infected with malware.” The college’s forensic investigation determined that while the infected server hosted access to databases containing personal information, there was no direct evidence that any data was actually accessed or taken in the cyberattack.

No financial information was exposed. The data did not contain social insurance numbers, banking, credit card or personal health information.

While there have been no reports of identity theft or other misuse, the college said in a press release that it has identified 4,568 individuals (including students and alumni) whose exposed information may have included date of birth and home address. An additional 106,931 individuals – including students, alumni, and current and former employees – had “non-sensitive information” that may have been exposed on the server. “This information was assessed as presenting a low risk of misuse if in fact it were accessed,” the college said.

Algonquin College has informed the information and privacy commissioner of Ontario and the Ottawa Police Service of the breach. Their forensic investigation continues.