A friend recently mentioned an email that she received regarding an investment app that she had downloaded on her phone. The app was a way for her to play around and learn a little bit about investing, something that it seems many people leaned into during the pandemic.
The notification email stated that security and privacy were taken seriously at the company, but also, they had recently discovered that a former employee had downloaded investing reports. Upon discovery, the company did everything correctly to notify users, explain the situation, identify what had been accessed, what had not been accessed, and what they were doing as follow-up and contact information for clients.
Her take on the email that they sent to users was that they had somewhat downplayed the issue, stating that this was a report that the (former) employee had always had access to. They also indicated that usernames and passwords were not compromised, just your brokerage account number as well as full names and portfolio values. When reading the email, it gave her the vibe of, “this happened, we are handling it, don’t worry, your “important” data wasn’t compromised”. Of course, it didn’t say explicitly that, but that was her take on it and she wasn’t too concerned after reading the email. Her first thoughts, “oh, another breach…. this one doesn’t seem like a big deal, I’ll have to remember to change my password, but it’s on my phone so I’ll get to that this weekend.”
As IT professionals in cybersecurity, we know the appropriate reaction should be much different. And because breaches and compromised data are so common today, it wouldn’t be difficult to find a new one daily; we’re becoming desensitized to it. This news should have created more of a sense of urgency in my friend’s mind to act immediately.
While no one is suggesting that we create a panic, we do need to continually remind our clients, friends, and family to keep on top of their cybersecurity behaviors outside of work as well as within the walls of their offices. These small pieces that seem insignificant can add up, and it doesn’t take a detective to glue it all together to wreak havoc one way or another.
Incidentally, we often hear people concerned about the targeted ads that they receive after having a conversation with friends about something. “I was just talking with Sam about canoes and now my Instagram feed is full of canoe ads! Isn’t that scary!!!???”. Yes, it is. But have you considered that as a result of this investment app breach, your dark web consumer profile includes data that identifies you as an investor, and one with an account that contains this much money, so you’re perhaps a target for additional ads or cyberattacks of different kinds?
AllSafe IT can provide the tools and resources that you need to keep your employees trained and aware of the threats that they face like this. We are all targets and our identifying assets and behaviors to help cybercriminals to gain access to our lives in ways that they shouldn’t.