Earlier this month, Apache Pizza confirmed that it had suffered a data breach affecting customers’ names, addresses, contact details and encrypted passwords.
In some cases, people’s passwords were also breached.
The incident sparked concerns that the attackers would use the stolen information to target customers directly – either brute-forcing their way into other accounts or sending phishing emails.
Those with an Apache Pizza account have been told to change their password, and should consider changing the password of any other account in which they use the same login credentials.
Although that will mitigate the threat of further breaches, it won’t cancel any damage that has already occurred. That’s why it’s essential for individuals to avoid mistakes that could allow cyber criminals to leverage data breaches, such as reusing the same password on multiple accounts.
It may not seem fair to put the onus on customers to protect themselves when an organisation is breached, but that’s the reality of the current cyber security landscape.
Cyber attacks and data breaches occur not only when companies make security blunders; they can happen at even the most prepared organisations.
There are simply too many crooks and potential vulnerabilities – from unpatched systems to the threat of phishing – for an organisation to guarantee its security.
As such, individuals must accept that there is a risk of their sensitive data being compromised, and do their part to minimise the damage.
How can you protect yourself?
The most important thing people can do to protect themselves is to create strong passwords for their accounts, and to use unique credentials for every account.
The received wisdom about passwords is that they should be a combination of at least eight letters, numbers and special characters. But you won’t fool criminal hackers by simply adding an ‘@’ symbol and two or three numbers to the end of your password, as it’s such a common technique.
Anything more complicated, such as character substitutions (e.g. replacing an ‘o’ with a ‘0’), only plays to criminal hackers’ advantage, as your password becomes increasingly hard to remember and, ironically, comparatively easy for computers to crack.
A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character and punctuation from each word of a sentence.
Alternatively, you can use three random words to give your password strength in length. The longer your password is, the harder it is to crack – because more letters equals more possible combinations.
Provided there is no reasonable possibility of an individual or a computer predicting each word, this practice will generate strong passwords without having to use special characters or numbers.
And as IT Governance Cyber Incident Responder Cliff Martin notes, another way you can protect yourself is by avoiding using your work email account for non-work related activities.
When that information is breached, attackers build up a picture of the victim which can be used in a future attack or sold on for a profit.
“For example, an attacker might use this information to further their goal or intentions; with the information exposed an attacker might be able to craft a phishing email (like the email received) which targets the victim and makes them do something they wouldn’t normally do,” he said.
He also recommends:
- Using multi-factor authentication where possible;
- Only providing personal information that’s required for the product or service that you’re using;
- Requesting that the organisation removes any unnecessary personal information; and
- Not clicking on links that you are ensure about in any email
You can find more tips on how to protect yourself from cyber criminals in our Phishing Staff Awareness Training Programme.
This 45-minute course explains how scammers operate and the steps you should take to keep yourself safe.
The course content is updated each quarter to contain the latest criminal tactics and trends, helping you to reinforce staff awareness as part of your overall commitment to information security.