Latest news with #dataprotection
Fast Company
6 hours ago
- Fast Company
Those security codes you ask to receive via text leave your accounts vulnerable. Do this instead
Do you receive login security codes for your online accounts via text message? These are the six- or seven-digit numbers sent via SMS that you need to enter along with your password when trying to access your bank accounts, health records, online photos, and more. This type of security is known as multifactor authentication (MFA) and is designed to keep your account secure even if someone knows your password. Without the additional security code, bad actors can't gain access to your data. Or at least that's the idea. It's increasingly becoming evident that security codes sent by text message may leave our data less secure than we thought. Fortunately, there are other, more secure ways to keep your accounts safe. Here's why it's probably a good idea to stop using SMS for your security codes, and what you can use instead. An opaque security code industry You may think that the text message you receive with the code you need to log into your account is coming from Amazon, Google, Meta, or whoever provides the service you are logging into. But it's probably not—and therein lies the security risk. Bloomberg and Lighthouse Reports just released an alarming report revealing that some of the most prominent tech companies recommending that users enable multifactor authentication—including Amazon, Google, and Meta—have used third-party companies to send their security codes to users via text. Some of these third-party companies have been linked to institutions in the surveillance industry and even government spy agencies. Additionally, some of the security codes that these third-party companies were responsible for transmitting have been associated with data breaches of individuals' accounts. Worse: the intermediaries operating in this space do so with little oversight from their tech giant clients or regulators. And Bloomberg and Lighthouse Reports' piece isn't the first to warn about the vulnerability that texted security codes expose users to. In December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to the public, urging people to migrate away from receiving security codes via text. 'Do not use SMS as a second factor for authentication,' the CISA's memo warned. 'SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them.' But this vulnerability in texted security codes doesn't mean you should revert to using merely a password to access your accounts. Instead, you should consider a superior form of multifactor authentication—or upgrade to passwordless logins entirely. Get your security codes from an authenticator app instead Some websites and services are stuck in the past when it comes to multifactor authentication. That is, these websites do offer their users MFA, but only give the option of receiving security codes via text message—something the U.S. Cybersecurity and Infrastructure Security Agency now warns against. Thankfully, plenty of websites offer a more secure way to receive security codes: via an authenticator app. Simply put, an authenticator app is an application that resides on your phone or computer, storing all the various security codes for your online accounts that have multifactor authentication enabled. The code for each account in the authenticator app is unique, and it changes every 30 seconds. When you need to log in to a site that you have set up with multifactor authentication, you'll be prompted to enter your security code, which can be found in your authenticator app. And since these authenticator app codes always reside on your device, they can never be intercepted in transit, because they are never sent to you in the first place. Regardless of whether you use Windows, Mac, iPhone, or Android, you have numerous authenticator apps to choose from. These include Apple's own Passwords app, Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and more. Even better, start using passkeys While authenticator apps are vastly more secure than text messages for getting your security codes, the safest login method no longer relies on codes—or even passwords—at all. I'm referring to passkeys, the passwordless login technology spearheaded by the FIDO Alliance, a consortium of tech companies including Amazon, Apple, Dell, Google, Meta, Microsoft, NTT, Samsung, and others. Passkeys are cryptographically complex from a technology perspective, but easy to use from a consumer perspective. When you add a passkey for one of your online accounts, you get one digital key, saved to your device, and the website gets a matching key. When you log into that website, the passkeys must match; otherwise, you won't get access to the account. You verify that you are the true holder of your passkey by confirming your identity with your biometrics—a facial or fingerprint scan, right from your phone or laptop. Passkeys can't be phished or guessed. And if one of your passkeys were stolen and put on someone else's device, it wouldn't work either. That's because the thief couldn't fool the passkey into thinking they were you since they don't have your face or fingerprint. And because passkeys don't require any alphanumeric input authentication—such as security codes—there's no code you need to worry about either. Passkeys are also synced to the cloud via your device's password manager, so if you lose your device, you can quickly regain access to all your passkeys from your, for example, Apple or Google account. The only drawback to passkeys is that not all online accounts support them. Still, each month, more and more sites are offering users the option for passkey logins. However, if your accounts don't support passkeys yet, you should still enable multifactor authentication. Just remember to opt to receive your security codes via an authenticator app rather than a text message.
Finextra
3 days ago
- Business
- Finextra
Beyond the Firewall: Rethinking Payment Data Security: By James Richardson
In today's digital economy, protecting sensitive business payment data is no longer just the responsibility of IT or treasury departments — it's a strategic business imperative. While enterprise systems like ERP and CRM often have strong security protocols, these systems don't operate in a vacuum. Payment data is frequently copied, stored, and used across spreadsheets, shared drives, and supplier portals — far beyond the safety of core systems. That's where the real risk lies. Why Traditional Defences Fall Short Historically, businesses have relied on layered security controls like encryption, firewalls, and access policies to protect payment information. But these measures alone don't eliminate the inherent risks of decentralised data. Payment details often reside in multiple locations across an organisation — from shared folders to manual payment files — making it hard to track who has access, where data is stored, and how it's being used. In these uncontrolled environments, human error, system design gaps, and cybercriminals can easily exploit weaknesses. And the stakes are high. Data breaches involving bank account details not only damage reputations and erode customer trust but can also expose organisations to direct financial loss, fraud recovery efforts, and regulatory scrutiny. The Rise of Payment Tokenisation To address this growing threat, an additional and effective approach is gaining traction in B2B payments security: payment tokenisation. Tokenisation replaces sensitive bank account information with a secure, randomised token — a placeholder with no exploitable value. These tokens are stored and managed outside the business's systems, in highly secure external environments. The original bank data stays protected, while the business uses the token for processing payments as if it were the real thing. In practice, this means organisations can continue to run payments efficiently — but without ever holding the real account data internally. Even if a breach occurs, attackers get meaningless tokens rather than actionable payment credentials. Strategic Benefits Beyond Security The appeal of tokenisation goes beyond protecting against fraud. It simplifies compliance and risk management by centralising sensitive data into a single, tightly controlled location. That eliminates data sprawl, reduces audit complexity, and gives finance teams greater peace of mind. Organisations embracing tokenisation also gain operational resilience. Instead of relying solely on internal controls, they reduce systemic risk by shifting sensitive data management to dedicated, security-hardened infrastructure. That's especially valuable for large businesses managing thousands of payments a day or navigating complex multi-supplier networks. From Niche to Necessity While tokenisation is already well established in card payment systems, its adoption for bank account data is only just beginning. There's no regulatory requirement — yet — but that's starting to shift. Standards like PCI DSS don't currently mandate tokenisation for bank details, but forward-thinking organisations aren't waiting for legislation to catch up. Rising fraud, evolving cyber threats, and increasing expectations from partners and regulators are all pushing tokenisation from a niche solution to a best-practice standard. For financial operations teams, it's a proactive step that protects both reputation and revenue. The Strategic Imperative Tokenisation isn't just a cybersecurity tactic — it's a smarter, more resilient way to handle business payment data in a landscape where breaches are inevitable and reputational risk is high. It streamlines compliance, enhances governance, and dramatically lowers the threat posed by internal errors, third-party risks, and increasingly sophisticated attacks. The time to act is now. Businesses that wait for regulation, a major breach, or a mandate from a banking partner are already on the back foot. Forward-looking organisations are proactively removing sensitive bank account data from their systems — not simply to protect it, but to eliminate the need to hold it in the first place. Don't wait for a crisis to rethink your approach. Tokenisation is fast becoming a defining feature of modern payment security strategy. If your business handles payments, it's time to ask: why hold the risk at all?
Forbes
3 days ago
- Business
- Forbes
Securing The Database: The Hidden Side Of Risk Management
Jakub Lamik is the CEO of Redgate Software. Data is one of the most valuable assets for any organization, and the risk of that data being tampered with, stolen or deleted is a fundamental fear. Over the past decade, we've seen an increase in high-profile cases where data loss has caused organizations significant financial or reputational damage. The regulatory environment is also becoming progressively more stringent about how to handle data securely, with the emergence of legislation like HIPAA and the California Consumer Privacy Act in the U.S. as well as GDPR and the Digital Operational Resilience Act in the EU. Organizations that get this wrong face significant penalties. With the rise of AI, both the volume of data and the value of that data for training bespoke AI models will only increase. Organizations will become even more protective of their data, and the way data is captured and stored will become even more regulated. Although cybersecurity is a considerable concern, the importance of securing the database is easily overlooked. While no data is ever completely secure, organizations can take plenty of actions to reduce the risk profile their database presents. Building a deep understanding of the specifics of your database estate to personalize your risk management approach is crucial. The truth is that most data compromises happen due to human factors rather than hackers gaining unauthorized access to data using sophisticated technical exploits. Sometimes, this involves social engineering techniques that encourage people to compromise their own systems, but the root cause is often simple human error or a failure to implement best practices within increasingly complex and fragmented database estates. Verizon's 2025 Data Breach Investigations Report found that roughly 60% of breaches involve human elements. Vulnerability within the supply chain can also increase risk, with 30% of breaches from Verizon's report involving compromise via a third party or supplier. In 2013, a Target data breach, which exposed personal data from over 70 million customers, was alleged to have started after attackers stole network credentials from a third-party HVAC vendor. Our State of the Database Landscape research, involving 2,500 respondents from across the database industry, surfaced key drivers behind the increasing complexity of database estates. The rising use of multiple database platforms—because organizations need the best platform for handling different types of data or after integrating different technology stacks through mergers and acquisitions—is one factor. Another is the increasing fragmentation of data estates across a blend of cloud and on-premises hosting solutions. Roughly one-third of organizations exist in what IDC calls the "messy middle," with some workloads operating in the cloud while others remain on-premises. This complexity only increases the challenge of keeping data secure. Security is simple to manage when you have one server. However, with multiple databases split across different platforms (some hosted locally and some in the cloud) in an environment where different users (including third parties) need to access the data, security practices become more difficult. Organizations increasingly need processes and tools that keep their data secure regardless of where it's hosted. Security is often top of mind for production data, but best practices are less commonly implemented when managing test data—even though this data creates risk. Test data management challenges include the risk of data breaches when using real data featuring sensitive information in less secure test environments, limited insight into locations where test data contains sensitive information, less rigorous oversight of test data deletion and an unclear picture of who has access to test data within the organization. As well as exposing the organization to external threats and breaches that human error causes, poor test data practices also risk noncompliance with regulatory requirements. Suboptimal test data practices can trigger unintended business consequences; organizations that only infrequently provision fresh test data for their development teams experience more data issues in production compared with those that regularly provision fresh test data. Limiting sensitive test data to specific users, masking or deidentifying the data or replacing it with synthetic data are all increasingly popular options for managing test data securely. Deep knowledge of your unique situation and your organization's needs can guide informed, security-conscious decision making. If you know that one of your organization's databases is populated with synthetic data for internal use only, you can take a less stringent security stance compared with your highly access-controlled production database. Because social engineering and human error are such significant threat vectors, equipping your teams with robust processes and skills to effectively manage database risks can also support a strong security posture. Ensuring your teams have the technical knowledge to implement secure systems and processes while building their understanding of human security factors and the business consequences when something goes wrong is paramount. It's much easier to grant permissions initially than to remember you need to revoke them when someone leaves or changes roles. Having processes in place to keep permissions updated following people changes within your organization is important, especially if your permissions landscape is fragmented across multiple platforms and locations. Ransomware can attack database objects, either encrypting or exfiltrating the data. Practices that help secure your databases against ransomware attacks include storing backups in another location and testing your ability to restore them, using admin accounts with multifactor authentication to log into database servers and ensuring all systems are patched. Finally, you can equip your teams with third-party database management tools that support secure database practices, such as automating backups and recovery, strengthening encryption or alerting your teams about unusual activity. Look for tools that support your organization's specific security priorities. Strong database management practices that guard against human error are a fundamental but often overlooked aspect of cybersecurity. By equipping your teams with the necessary skills and tools and ensuring that the database sits at the heart of your security posture, you can robustly defend your organization's most valuable asset. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
National Post
3 days ago
- Business
- National Post
Wasabi Technologies Achieves ISO/IEC 27001 Certification
Article content Global security certification affirms Wasabi's commitment to high-performance, affordable cloud storage with zero compromise Article content BOSTON — Wasabi Technologies, the hot cloud storage company, today announced its achievement of ISO/IEC 27001 certification – the global standard for information security management systems. This milestone reinforces Wasabi's position as the trusted choice for enterprises demanding uncompromising data protection alongside breakthrough performance and cost efficiency. Article content As data breaches cost organizations an average of $4.88 million globally according to IBM, Wasabi's certification provides CISOs and IT leaders with the assurance they need to accelerate cloud migration strategies without compromising security posture. The internationally recognized ISO/IEC 27001 certification ensures Wasabi's security architecture is robust and protects petabytes of mission-critical data across healthcare, education, government, financial services and media sectors globally. Article content 'ISO/IEC 27001 isn't just a check-the-box exercise for Wasabi. It's about proactively helping our customers navigate a difficult cyber threat and compliance landscape,' said David Friend, co-founder and CEO of Wasabi Technologies. 'While other cloud providers force customers to choose between security, performance, and affordability, we deliver all three without compromise. This certification complements our data center operators' existing ISO 27001 certifications, meaning our customers benefit from a fully certified storage stack from infrastructure to application layer.' Article content Why This Matters for Public and Private Sector Organizations Article content Wasabi's ISO 27001 certification provides peace of mind for IT security leaders concerned with securing sensitive data: Article content Regulatory compliance made simple: Automatic alignment with a global regulatory framework. Risk mitigation: Comprehensive threat detection and response protocols that protect against evolving cyber threats. Audit readiness: Built-in documentation and monitoring that streamlines compliance reporting Zero-Trust Architecture: Advanced encryption and access controls that secure data at rest and in transit. Beyond certification: Wasabi's immutable storage and multi-user authentication guard against ransomware threats. Article content About Wasabi Technologies Article content Recognized as one of the technology industry's fastest growing companies, Wasabi is on a mission to store the world's data by making cloud storage affordable, predictable and secure. With Wasabi, visionary companies gain the freedom to use their data whenever they like without being hit with unpredictable fees or vendor lock-in. Instead, they're free to build best-of-breed solutions with the industry's fastest-growing ecosystem of independent cloud application partners. Customers and partners all over the world trust Wasabi to help them put their data to work so they can unlock their full potential. Visit to learn more. Article content Article content Article content Article content Article content Article content
CTV News
4 days ago
- Business
- CTV News
Genetic testing firm 23andMe faces large fine for failing to protect customer data
Privacy Commissioner of Canada Philippe Dufresne leaves after a news conference at the National Press Theatre in Ottawa on Thursday, Feb. 29, 2024. (THE CANADIAN PRESS/Justin Tang) Genetic testing company 23andMe failed to take basic steps to protect customer data, according to a joint investigation by Canada and the U.K. into a massive global data breach that resulted in information from nearly seven million people being posted for sale online. As a result, the U.K. is imposing a £2.31 million (C$4.24 million) fine on the company. Canada does not have the power to impose a similar penalty under current privacy laws. Canada's privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards revealed their findings at a news conference in Ottawa on Tuesday morning. 'With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,' Dufresne said on Tuesday. 'Our investigation found that these types of security measures were not in place at 23andMe.' In September, 23andMe agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of 6.9 million customers and posted their information for sale on the dark web, including data from nearly 320,000 people in Canada and more than 150,000 people in the U.K. The 2023 attack appeared to specifically target customers with Chinese and Ashkenazi Jewish ancestry. 'The compromised data included highly sensitive information related to health, race and ethnicity information as well as information about relatives, date of birth, sex at birth and gender,' Dufresne explained. 'Much of this information was derived from individuals' DNA. The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyber threats.' The joint investigation by privacy authorities in Canada and the U.K. was launched in June 2024 to examine the scope of the breach and 23andMe's response. 'In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination,' Dufresne said in a news release when the investigation was announced. 'Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.' 23andMe filed for bankruptcy in March. On June 13, it was announced that a non-profit led by 23andMe co-founder Anne Wojcicki would purchase the troubled company for US$305 million. Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred on at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit. '23AndMe failed to take basic steps to protect people's information,' Edwards said at the press conference on Tuesday. 'Their security systems were inadequate, the warning signs were there and the company was slow to respond. This left people's most sensitive personal data vulnerable to exploitation and harm.' The investigation also found that 23andMe did not adequately notify regulators and affected customers of the breach as required by Canadian and U.K. laws. Dufresne said they were concerned to find the stolen data was later offered for sale online. 'Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information,' Dufresne said. 'Organizations must also take proactive steps to protect against cyberattacks. This includes using multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.' Dufresne also called for modernized privacy laws in Canada that would allow him to issue fines and orders like his counterpart in the U.K. 'This is something that exists broadly around the world in privacy authorities and it is something that is necessary,' Dufresne said. 'You can see in a case like this in terms of cybersecurity, in terms of things where time is of the essence, where there are real consequence, this is a gap.' In a statement to CTV News, a 23andMe spokesperson said by the end of 2024 the company 'had implemented multiple steps to increase security to protect individual accounts and information.' 23andMe's new owner, they added, has 'made several binding commitments to enhance protections for customer data and privacy,' including allowing users to delete their accounts and opt out of having their information used for research. 23andMe saliva collection kit A 23andMe saliva collection kit is shown on March 25, 2025, in Oakland, Calif. (AP Photo/Barbara Ortutay) With files from Reuters and CNN
