Data Theft
Data theft is the intentional stealing of data.
Behaviours
Enabling fingerprint or facial login for devices and/or accounts
People can access devices and accounts with biometric information (such as a fingerprint or facial scan). The ...
Reporting security incidents
Reporting known or suspected security incidents helps protect the workplace. If the incident is reported early, IT ...
Blocking pop-ups
Most web browsers come with a range of security options. One option is to automatically block pop-ups. Enabling ...
Enabling firewalls
A firewall is a set of virtual rules that help prevent malicious applications from communicating with a device. ...
Enabling auto-updates
Software updates reduce exposure to known security vulnerabilities. Most devices can be set to auto-update when ...
Enabling Google Play Protect
Google Play Protect should be enabled on all Android devices. With Google Play Protect enabled, apps downloaded ...
Restricting administrator privileges
User accounts have fewer privileges than administrator accounts. User accounts deny malware escalated permissions. ...
Running antivirus if a new icon or desktop pop-up appears
Unexpected icons or pop-ups on a computer’s desktop can indicate malware. Running an antivirus scan can help ...
Doesn't plug unknown devices into work devices
Malicious USB (or other plug-in) devices can be used in cyber attacks. They can be used to upload malware, steal ...
Changing default passwords
Internet-connected or “smart” devices are often protected with default passwords. Many of these passwords ...
Using a screen lock
Mobile devices can be protected with screenlocks (like pins, patterns and passwords). This can help prevent ...
Locking devices
Locking devices when not in use prevents unauthorised access. This is especially important in common areas, such ...
Shutting down devices when not in use
Shutting down a device when not in use ensures a second password is required to access it.
Turning off Bluetooth
Bluetooth can be used to access devices. Turning Bluetooth off when not in use conserves battery and improves ...
Using a VPN
A VPN encrypts the data sent to and from devices over the internet, preventing it being read in transit. They ...
Tethering a laptop
Tethering to a mobile device is more secure than using public Wi-Fi without a VPN. 3G and 4G connections are both ...
Disabling "automatically connect to Wi-Fi" on mobile devices
Allowing devices to automatically connect to public Wi-Fi increases the chance of data being intercepted.
Enabling encryption
Encrypting a device prevents the data on the device from being accessed should the device be lost or stolen. Some ...
Securely removes data from a devices before decommissioning
Data should be securely removed from devices before they are decommissioned. This prevents data being recovered ...
Using a webcam cover
Devices that have been compromised can have their webcams accessed. To limit further breaches to privacy and data, ...
Checking unknown people's details or security passes
Individuals should check the security credentials of unknown people they come into contact with in the workplace. ...
Preventing tailgating at security checkpoints
When passing through security checkpoints, people should check they are not being followed by others who do not ...
Does not share work passes
Sharing security passes even with "trusted" contacts creates risk. People should only ever use security passes ...
Escorting visitors and ensuring they follow security policies
Visitors should be escorted according to organisational policies. This reduces the risk of unauthorised access to ...
Reporting lost or stolen devices
Lost or stolen devices should be reported immediately. This allows the device to be locked or remotely wiped to ...
Using private browsing windows
If workplace devices are shared between colleagues, private browsing should be enabled by default. This means ...
Verifying callers
Criminals sometimes use phone calls to try and elicit sensitive information from people. In instances where ...
Doesn't click links in unexpected texts
Criminals will often use instant messaging as an attack vector. Unexpected messages should always be checked for ...
Verifying messages
Contact details can be spoofed. Receiving a message that breaks any norms should be met with suspicion. Using ...
Checking emails before forwarding them
Messages from workplace contacts are more likely to be trusted than messages from other sources. Forwarding ...
Reporting suspicious messages
Suspicious messages received via email, text or phone should be reported to a single point of contact. This allows ...
Checking emails for signs of deception
Criminals will often use emails as an attack vector. Unexpected emails should always be checked for malicious ...
Case study
Opshare Talent Solutions
In 2018, three former employees of Opshore Talent Solutions, an Indian recruitment consultancy, were arrested for data theft.
While employed by the consultancy, the trio stole information from their employer’s client database. The employees then resigned and set up their own recruitment consultancy.
Opshore Talent Solutions became suspicious after losing clients to the former employees. They reported their suspicions, and an investigation led to the arrest of the three men. All pleaded guilty to the accusations.
Opshore did not monitor data transfers within their organisation, nor did they check whether resigned or former employees still had access to the company records. The company also allowed employees to use personal computers in the workplace, which gave employees access to confidential information via personal devices.
UnityPoint Health
In 2018, UnityPoint Health suffered the biggest US health data breach of the year following two phishing attacks.
Criminals posed as a trusted executive and emailed employees to trick them into providing login information. Later investigations showed the fraudsters were trying to divert payroll and vendor payments to their own accounts.
The scam compromised the details of 1.4 million UnityPoint patients. The data included names, addresses, medical data, treatment information, lab results, insurance information, payment details and Social Security numbers.
Victims sued UnityPoint. They agreed to a $2.8 million settlement payment.
Learning from such a costly mistake, representatives from the health system stressed the importance of preventative measures. These include resetting the passwords of compromised accounts, implementing cyber security awareness training for employees, and enabling multi-factor authentication.
Nintendo
In 2020, criminals gained access to 300,000 Nintendo Switch accounts after stealing people’s login IDs and passwords. The accounts stored personal information like birthdays and email addresses.
After hacking the Switch accounts, the fraudsters also gained access to victims’ Nintendo Network IDs. They then used stored payment information to make fraudulent purchases via Nintendo’s official online store.
At first, the attack affected 160,000 Switch users. The figure rose to 300,000 as time went on.
Nintendo refunded fraudulent purchases and disabled logins as part of the recovery operation. They advised victims to reset their passwords and to avoid storing personal and sensitive information in online accounts.