Cyber safety after a data breach

With so many data breaches making the press, it's useful to know what kinds of security steps you or your staff can take if they suspect a service they use may have been breached.

  1. Upgrade your passwords and switch on multi-factor authentication (MFA) for all accounts
  2. Monitor and notify key people and services
  3. Up your phishing vigilance
  4. Do a social media health-check
  5. Check your active sessions

1. Upgrade your passwords and switch on multi-factor authentication (MFA) for all accounts

One of the first things an attacker will typically do is attempt to login to your accounts themselves, or sell the information they have that may enable others to do this.

So, step one is to change any passwords you think may have been breached – both for the service you've been notified about and for any other services where you may have re-used any kind of similar password too. While you're changing passwords, make sure you switch on MFA wherever you haven't already to add that extra obstacle for an attacker.

Once you've changed those impacted passwords, think next about your passwords in general. Have you anywhere used a password that is easily guessable by people who know information about you, such as your pet's name or child's name and date of birth? If so, go through your other services and update your passwords to something long and whacky and in no way related to your personal information. 

passphase info graphic

The infographic titled "How to create a passphrase?" covers four key steps.
The first step
is to pick 4-5 random letters. Accompanying this is a string of letters as an example, SEOT.
The second step says "Assign a word to each letter". This is accompanied by the example Sunny Egg on Orange Toast.
The third step says "Add numbers or characters" this is accompanied by the example SunnyEgg4OrangeToast.
The fourth step says "That's your memorable passphrase!" This is accompanied by an image of a sunny-side up fried egg on a piece of orange bread.  

2. Monitor and notify key people and services

It's important to get on the front foot when it comes to monitoring key accounts as attackers will frequently leverage the information stolen in a data breach to try and steal funds by accumulating more of your accounts and transacting on your behalf.

To that end, it's important to:

  1. Notify your bank and super/pension funds to enable heightened monitoring on your accounts.
  2. Request a temporary ban on your credit report, which helps stop unauthorised loan or credit applications. See for more details.
  3. Monitor your bank account for any unauthorised transactions.

3. Up your phishing vigilance

Attackers can use information that's been stolen about you to make their phishing lures more believable to both you and your friends and family. This can make phishing emails and messages harder to detect and is why it's also a good idea to notify key people in your life so they can be extra scam aware too if anyone contacts them claiming to be you and asking for things like urgent transfers of money.

As well as being on-guard, it can also be a good defensive move to consider spreading your risk when it comes to email. If you have an email address that's been involved in breaches, consider setting up a new email account and shifting any services linked to your identity (such as banking, telco and government services) over to this account. Keep this new account only for your most important digital services, defend it well with a strong password and MFA and don't give this email address out to friends or use it for lower tier digital accounts such as shopping.

4. Do a social media health-check

Social media can be a rich source of additional information about you that can be used to maliciously target you, or to help a potential attacker impersonate you.

Monitor social media accounts closely following a potential data breach, but also consider these proactive steps to improve your social media privacy and security.

  1. Only connect with people you actually know / have met in real life.
  2. Use privacy controls within apps to control who can see your posts and information and who can message you directly.
  3. Always open a social media app to read any messages, rather than clicking on a link in an email.
  4. Limit the personal information you share (don't include things like your real birthday).
  5. Think about what you're sharing and what information it's giving away every time you post a status or photo.
  6. Don't use public computers or public Wi-Fi to sign into social media accounts.
  7. Ensure you monitor for cloned accounts of existing friends. Attackers like to clone your friends accounts and send you duplicate friend requests to try and bypass your public facing privacy controls.

5. Check your active sessions

Some accounts, and smart device apps, may create sessions where you are able to bypass full login requirements, with a simplified process. Once these sessions are created, changing your password will not always prevent an attacker from maintaining access to your account.

In these instances, you want to review the active sessions via your security settings and delete, or end, any that you are not completely certain of. If in doubt, close them all after changing your password and log back on from scratch.

Signals: Cyber security articles for business

Easy-to-digest information and explainers to help you protect your business.

Things you should know

This information is prepared without taking into account your individual and/or business needs and objectives.

Credit provided by the Commonwealth Bank of Australia. This product is only available to approved business customers and for business purposes only. Applications for finance are subject to the Bank’s eligibility and suitability criteria and normal credit approval processes. 

Commonwealth Bank of Australia ABN 48 123 123 124 AFSL and Australian credit licence 234945.