Coleman Technologies Blog

Coleman Technologies Blog

We can give your organization comprehensive IT services and 24/7/365 live support for a predictable monthly fee. Stop stressing about technology, and start focusing on growing your business.

Recent Data Breaches You Should Know

September

9/5 

Providence Health Plan - 122,000 members of the Providence Health Plan had personal information leaked when an unauthorized party accessed the company’s servers. Information that was stolen included plan member names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, and subscriber numbers.

Facebook - Facebook had an unprotected server with over 419 million records accessed.  Users had their Facebook’s user ID and phone number exposed. In some cases, user’s names, genders, and locations were also leaked.

9/16

Dealer Leader, LLC. - 198 million prospective car buyers were left exposed by an unprotected server. The information that was left out there included names, email addresses, phone numbers, addresses, and IPs.

9/27

DoorDash - The popular food delivery app had 4.9 million customers’ information breached by a third-party. The information left exposed included the names, delivery addresses, phone numbers, hashed passwords, order history, and the last four numbers of each’s credit card number. In the same hack, over 100,000 delivery drivers had their driver's license information leaked. 

9/30

Zynga - The mobile game maker, Zynga, the developer of popular mobile games such as Farmville and Words with Friends has announced that 218 million players had their data exposed after their network was breached by a hacker.  The company had player names, email addresses, login IDs, phone numbers, Facebook IDs and more left exposed.

October

10/17 

Methodist Hospitals of Indiana - The Methodist Hospitals of Indiana fell victim to an email phishing scam and it allowed hackers to steal 68,000 records that included names, addresses, dates of birth, Social Security numbers, driver’s licenses, and more. 

10/21

Autoclerk - Autoclerk, a hotel property management software developer had an open database infiltrated exposing data that included names, dates of birth, home addresses, phone numbers, dates of travel, travel costs, room numbers, and some masked credit card details of hundreds of thousands of guests. 

10/22

Kalispell Regional Healthcare - Over 130,000 Social Security numbers, addresses, medical record numbers, dates of birth, medical histories and treatment information, and names of treating physicians were exposed by hackers.

10/26

Adobe - Data was exposed that included email addresses, usernames, location, Adobe product licenses, account creation dates, and payment statuses. 7.5 million users were affected.

10/27

Network Solutions - The world’s oldest domain name provider has been exposed in a hack. Millions of individuals’ data that included names, addresses, phone numbers, email addresses, and service information was compromised.

November 

11/9 

Texas Health Resources - The Texas-based health care provider reported a data breach where 82,000 patient records were exposed. Included in the breach were names, addresses, email information, health information, and more. 

11/16 

Disney Plus - The brand-spanking-new Disney+ streaming service had new user account information hijacked by hackers. Login credentials wound up on the Dark Web soon after. 

Magic the Gathering - The popular online strategy game has reported that an unsecured website database has exposed 452,000 player records that include names, usernames, and more. 

11/18

State of Louisiana - The State of Louisiana has been a victim of a ransomware attack that took down many state agencies’ servers. Although no data is said to be lost, the state’s crucial computing infrastructure was down for several days as systems were restored from backup.

11/19

Macy’s - Macy’s had their ecommerce site hacked. Hackers embedded malicious code into their checkout page and put a skimming code on the company’s Wallet page. The malware retrieved names, addresses, phone numbers, email addresses, payment card numbers, card security codes, and card expiration dates.

11/22 

T-Mobile - T-Mobile had over a million customers’ information accessed by a hacker. Information accessed included names, billing addresses, phone numbers, rates, and calling features.

Unknown - An unsecured server containing over 622 million email addresses and 50 million phone numbers, and millions of pieces of other information was discovered. It is unknown what organization this data is tied to as the time of writing.

With hundreds of millions of records being exposed each month, it’s hard to feel confident about giving your personal or financial information to anyone in the current threat landscape. If your business needs help trying to be secure, call us today at (604) 513-9428.

Continue reading

Protect Smartphones Like Any Other Computer

Mobile malware is not new. It has been around since people used flip phones, but it doesn’t get the attention that the malware that targets Windows PCs do. This is mainly due to it being a little more rare, but if you are the unfortunate recipient of it, it can cause a lot of the same problems. 

Many people won’t consider it simply because of the way they use their device. A person’s smartphone is with them around the clock and they don’t often use it in the same manner as they would a PC. This doesn’t mean that there aren’t major threats that can users can be exposed to. Let’s take a look at each major mobile OS.

iPhone Malware

One of Apple’s favorite marketing strategies is to point out that iOS is the safest mobile operating system. They actually do a commendable job, but devices running iOS aren’t always completely safe, especially on “jailbroken” devices. By not doing this, which is a way to avoid a lot of iOS’ built-in security restrictions, you will be much more secure. 

Another risk that iOS-run devices run into is called a zero-day hack. The zero-day hack target devices haven’t received a security update after the security update has been released to the public. One major issue that users have with iOS security is that there aren’t a lot of ways to prevent issues. Apple itself does a lot of the heavy lifting. Their platform’s success depends on them keeping their reputation, so having trust in Apple to keep your device secure is not without its merits.

Android Malware

Android is a completely different situation altogether. With more devices comes more malware, and with so many different manufacturers making (and supporting) their various versions of Android, it gets a little dicey.

Android is much more flexible than iOS, which is one of its main benefits, but it can also be problematic when it comes to keeping the device secure. For example, if you want to install an application that’s found outside of Google Play, you can, but any negative situation you get into as a result is on you. It is also possible to jailbreak an Android device, which can override some of the built-in security restrictions.

There have been situations where installing apps off of Google Play have caused problems. Google has had to play games with app developers to keep some serious threats off their store. It just means that users need but it has become clear that it really comes down to the user being careful with what they install. It’s not normal for malware to be attached to Google-sponsored apps, but it has happened, so if you are an Android user, you don’t have to be too careful if all of your software comes from Google.

How to Protect Your Smartphone from Malware

Keep App Downloads to Major App Providers - Both Android and iOS feature their own app stores, Google Play Store and Apple App Store, respectively. Even though Android devices can install applications that aren’t on the Google Play store, modern smartphones make this a little more difficult by making users acknowledge that they are putting their devices at risk by doing so.

If you refuse to jailbreak your phone, and you only install applications that are thoroughly vetted, positively reviewed, and come directly from the Apple App Store or Google Play, you will greatly reduce the risk of infecting your device.

Don’t Get Phished - Many of the most insidious threats today rely on user error. Phishing attacks are an annoying example of this. A user will get a legitimate-looking email from some account they actively use and will be directed to submit login credentials. Unfortunately, the email account is spoofed and on the other end is potential disaster.

Install Anti-malware - You have antivirus software for your PC right, why not get it for your mobile devices? Most providers have Android apps and can go a long way toward protecting your device from harm. 

Enact Policies - If you are a business owner and your employees use their personal devices to do work-related tasks, it’s a solid practice to establish an end-to-end mobile device policy. You can require users to enable security options like device locking and encryption, and since this gets set up on your network, the device (and therefore the user) has to comply with any requirement’s your IT admin requires. 

We have a dedicated plan to help all of our clients maximize their data and network security. If you want to talk more about it call our consultants today at (604) 513-9428.

Continue reading

Tip of the Week: 3 Signs of a Phishing Attempt

1. There’s an Unexpected Attachment or Link

It’s one thing to get an unexpected email from someone, it’s completely another thing entirely to get an email from someone that includes an unexpected attachment or link. Neither of these is a good thing. Attachments can easily contain hidden malware files, and links can be disguised with very little effort.

Don’t believe me? Try visiting google.com. Go ahead!

Not exactly what you were expecting, eh? Keep in mind that you can double-check links by hovering your cursor over them, and if you weren’t anticipating an attachment, don’t click it unless you have confirmed its legitimacy through some other means.

2. The Sender’s Email Seems Off

It isn’t uncommon for scammers to disguise a fraudulent email address by making it look at lot like a legitimate one would. For instance, let’s say that you normally worked with a business vendor, hypothetically named “Super Business Supplies.” A scammer might send you an email from “sales (at) superbusinessupplies.com.” Looks pretty okay, until you notice that there’s one fewer ‘s’ than there should be. Scammers can get downright devious with these replacements, replacing “Amazon” with “Arnazon” and other blink-and-you’ll-miss-it tricks.

In short, read carefully.

3. There are Other Questionable Elements

While that may be a very vague tip, it is only because there is such a wide variety of warning signs that an email is actually a phishing attempt. For instance:

  • Spelling and grammar errors. Look at it this way: would you anticipate a company like Microsoft, or Google, or the likes of such to send you an email riddled with mistakes? Of course not, so if you receive an email that purports to be from a company of high repute, but features these kinds of errors, red flags should be going up.

  • Time-sensitivity. One of a scammer’s go-to tools is to put their target off-balance, especially by pressuring them into immediate action. If you receive an email that offers you a great deal by acting right now, or threatens to shut down your account unless you act right now, the first thing you should do is pick up the phone and call up the organization or individual that sent the email.

  • Requests for personal information. Similarly to any messages that rely on cultivating a sense of urgency, you need to look at any emails that request personally identifiable information, access or financial credentials - really, any data that you and your company rely on - with a critical eye. This is another case where calling to confirm is probably your best bet.

Email can be an extremely helpful business tool, but it can also be an equally useful tool for cybercriminals looking to victimize your business. Coleman Technologies can help you secure it, with best practices and practical solutions to lock it down. To learn more, reach out to us at (604) 513-9428.

Continue reading

Office Gadgets to Add to Your Holiday Shopping List

Here, we’ve put together a list of suggestions for the different kinds of coworker you might have to provide a present for.

The Health-Conscious

Let’s face facts - the desk jobs that are typical of the office aren’t exactly the healthiest ones in the world, so there are plenty of gifts that are intended for the office worker who wants to fight the battle of the bulge.

From numerous standing desk and converter options, to chairs that require active sitting (like those big inflatable balls you sit on) or are specially designed with ergonomics in mind, to elliptical machines that fit under a desk, you have your choice of means to help decrease sedentary behavior in the naturally-sedentary office environment, or at least minimize its impact.

Want to take the more affordable route? Look into posters with yoga positions or rolled up yoga mats that can be stowed away. If your office has an outdoor space, a few outside gifts like frisbees, jump ropes, and hackysacks might be a big hit.

While you may not be able to give your coworker the ability to avoid the snacks in the break room, or the extra cupcakes that Susie from Human Resources brought in from her daughter’s 7th birthday party, you can at least help them fight off their effects.

The Productivity-Minded

We all have that coworker who likes to keep themselves as organized as possible, as the more organized they are, the more productive they can be. There are many gifts that may be perfect for such a person, especially with the new year following so closely behind the holidays. For instance, a personal calendar or planner is a popular tool that many people use, especially those who prefer to find it easier to remember their responsibilities if they record them in analog, rather than digital format.

Alternatively, you might consider getting such a person a means of keeping their space uncluttered and organized, such as an attachable storage shelf for their desk, or a case to help them keep their various peripherals, dongles, and doodads organized and easily portable.

Of course, one of the most common ways to boost productivity is to add an additional display, so you always have the option to invest in any of a variety of products that can accomplish this. There are additional monitors for both desktops and laptops, of course, but there are also docks that can turn a mobile device into an additional, interactive display. Of course, these can be pricier than a gift for a coworker should perhaps be, but there are also options with a much less considerable price tag - like a wireless phone charger or similar device.

The Fidgeter

We all have that coworker who tends to think with their hands - that person who needs something tactile to help organize their thoughts. This is a fairly easy person to buy a gift for, as there are plenty of “desk toys” out there that you can find - fidget spinners, levitating tops, and magnetic balls just being the start.

One word of warning - unless your coworkers are always listening to music while they work, or are exceptionally patient, you will probably want to make sure whatever tchotchke you decide to give someone is minimally disruptive. Otherwise, your gift may result in issues down the line.

Of course, you don’t necessarily need to give gifts that are just for the office. It’s always fun to get a more personalized gift for someone to use in their personal life, as it means that you have really gotten to know your coworkers.

What was the best gift you ever got from an office gift exchange? What would you hope to receive now? Share it in the comments - you never know, someone might see it and give it to you!

Continue reading

What Businesses Need to Know About Their Legal Obligations When Outsourcing Data Processing to Third-Party Service Providers

 

 

  1. report to the Office of the Privacy Commissioner (“OPC”) breaches of security safeguards involving personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach of the security safeguard creates a real risk of significant harm to an individual or individuals;
  2. notify the affected individuals about those breaches; and
  3. keep records of all breaches.

What you might not be aware of is that these data breach obligations apply to your business even if it is your third-party data processor who suffered the actual data breach. Additionally, if your business transfers personal data to a third-party for processing, your business is legally obligated to ensure appropriate contractual terms are place with that third-party to protect the personal data while in the possession of the third-party. 

Do You Use Third-Party Data Processors?

If you have a business, it almost certainly engages third-party service providers to process its data. For example, if your business uses any cloud services, you have engaged a third-party to process your data. Cloud services include things like online data storage, webmail, social networking websites, online business productivity applications, and software-as-a-service offerings. Any time you collect personal information about an individual (e.g. your customers or employees) and store that information in the cloud, you have engaged a third-party to process personal data thereby triggering legal obligations under PIPEDA.

It is important to keep in mind that third-party data processors are not limited just to cloud services providers. Processing does not necessarily require the application of a computer. For the purposes of PIPEDA, processing is better understood as a use of personal information by a third-party service provider where the third-party did not directly collect the personal information from the individual who is the subject of the personal information, but instead received the personal information from the organization (e.g. a business) that directly collected the personal information and obtained consent to use the personal information for the purposes that the third-party is now carrying out on behalf of the organization (i.e. the entity that originally collected the personal information).  Consequently, a third-party data processor could be, for example, a third-party call centre you engage to contact your customers about important product information, a payroll company that provides your business with payroll services,  or an insurance provider that provides group benefits to your employees.

Who Is Responsible In The Event of a Data Breach

It would be reasonable to assume that if your business transfers personal information to a third-party for processing, and that third-party suffers a data breach related to such personal information, the third-party would be legally obligated to comply with the mandatory data breach reporting obligations under PIPEDA; however, this is not the case. It is the outsourcing organization (i.e. the transferor of the data) – and not the third-party service provider – who is responsible for compliance with PIPEDA’s mandatory data breach reporting obligations. This is because the reporting obligation falls upon the organization in control of the personal information, and the OPC has taken the position that it is typically the outsourcing organization, and not the third-party service provider, who has control of the personal information. Consequently, if you engage a third-party service provider to processes personal information that you have collected and that third-party service provider suffers a data breach, you (the outsourcing organization) have the reporting, notification, and record keeping obligations and the corresponding liability under PIPEDA for failure comply with those obligations.

PIPEDA Compliant Contractual Terms

Since PIPEDA holds the customer (i.e. the outsourcing organization) of the third-party data processor liable for data breach reporting, it is crucial that contracts involving third-party data processing expressly address the customer’s rights, and the third-party service provider’s obligations, upon the occurrence of a data breach. Without data breach terms in your contracts, you might not even be notified by your third-party service provider that a data breach has occurred. This lack of notice would obviously undermine your ability to comply with PIPEDA’s data breach reporting, notification, and record keeping requirements. But to make matters worse, failing to have appropriate contractual arrangements with your third-party processors regarding data security and breaches is in and of itself a violation of PIPEDA’s accountability principle, which states:

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Unfortunately, third-party service provider contracts often completely omit data security and breach terms. This should be of immediate concern to customers of those third-party service providers, since the omission of contractual terms regarding data security and breaches places the customer in contravention of PIPEDA (regardless of whether or not a breach has actually occurred) and exposes the customer to significant risk and uncertainty should their third-party service provider suffer a data breach.

So what contractual arrangements should be implemented? For one, outsourcing organizations should ensure that their third-party service providers are obligated to notify the outsourcing organization of data breaches within the time periods required by PIPEDA. The third-party processors should also be obligated to ensure the notice contains enough information to enable the outsourcing organization to comply with PIPEDA’s mandatory data breach reporting obligations. This means that, at the very least, the notice should contain information concerning:

  1. Date and time of breach;
  2. Duration of the breach;
  3. How the breach was discovered;
  4. When the breach was discovered;
  5. Type of security safeguard breached or whether breach occurred due to lack of security safeguard;
  6. The type of breach;
  7. Whether there is evidence of criminal intent or a state sponsored attack;
  8. Who may have had access to the personal information;
  9. Steps taken to mitigate harms flowing the breach and prevent future breaches;
  10. The types of information involved (e.g. financial information, health information, etc.);
  11. The number of affected individuals;
  12. The names and contact information of the affected individuals; and
  13. Other information that would enable the outsourcing organization to determine if the breach creates a real risk of significant harm to an individual.

Outsourcing organization should also contractually obligate third-party processors to:

  1. comply with all applicable privacy and data security laws to which they are subject;
  2. limit their use of the personal data to specific purposes;
  3. not disclose personal data to third parties, subject to certain exceptions;
  4. protect personal data from unauthorized access or breach by implementing security safeguards and controls;
  5. investigate data breaches and take actions directed by the outsourcing organization to contain the breach; and
  6. cooperate with the outsourcing organization in connection with the outsourcing organization’s reporting and notification obligations.

Although a good starting point, the above is not a complete statement of all contractual terms that should be included in agreements with third-party data processors and is of course a simplification of a complex topic. Deciding upon and drafting appropriate data security and breach contract terms requires an analysis of the totality of your circumstances by experienced legal counsel knowledgeable in privacy law. If your business needs assistance with developing PIPEDA-compliant contracts or with planning ahead for data breaches by third-party data processors, contact the author of this blog post, David McHugh, at This email address is being protected from spambots. You need JavaScript enabled to view it. or 604-629-5401.

The above blog post is provided for informational purposes only and has not been tailored to your specific circumstances.  This blog post does not constitute legal advice or other professional advice and may not be relied upon as such.

 

Original Source: https://segev.ca/legal-obligations-when-outsourcing-data-processing

Continue reading

About Coleman Technologies

Coleman Technologies has been serving the British Columbia area since 1999, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses. Our experience has allowed us to build and develop the infrastructure needed to keep our prices affordable and our clients up and running.

get a free quote

Recent News

Whether it's a personal challenge or a necessity, keeping productivity high is good for an individual’s career growth and overall self-worth. Unfortunately, staying on top of your game can be difficult. We thought we would give you three things to co...

Contact Us

20178 96 Avenue, C400
Langley, British Columbia V1M 0B2

Mon to Fri 7:00am to 5:00pm

[email protected]

(604) 513-9428

Coleman Technologies Awards & Memberships

Image
Image
Image