"

4. Have you been hacked?

Data breaches

A data breach happens when personal information is accessed, disclosed without authorisation or is lost.

Source: Data breaches by the Office of the Australian Information Commissioner.

Examples of data breaches

The Office of the Australian Information Commissioner publishes statistics on notifiable data breaches.

They reported that the top five sectors for data breaches are:

  • heath services
  • Australian Government
  • finance
  • legal, accounting and management services
  • retail.

The data breaches from cyber security incidents were caused by:

  • phishing
  • ransomware
  • compromised or stolen credentials
  • hacking
  • brute-force attack
  • malware.

CSO Australia has tracked the biggest data breaches of the 21st century.

Stopping data breaches

It is up to organisations and their employees to reduce the risk of data breaches occurring.

How to prevent data breaches has information and tips on how to prevent data leaks at UQ.

As an individual, you can reduce the impact a data breach will have by practising sound password and account management such as using secure passwords and two-factor authentication (this is covered later in the module).

Check if your data has been breached

activity Have you been pwned?

Check your email address on Have I been pwned!

It will tell you if websites associated with your email address have been breached.

This site was created by Troy Hunt, an Australian who works as a Microsoft Regional Developer. The site has an About section and an FAQ section explaining how the site works, along with information on it’s history and purpose.

If your email is connected to a security breach, and you reuse passwords for multiple sites, you may be at risk.

Groups or individuals will take large numbers of email addresses and associated passwords and start trying them on major websites like Facebook, Gmail, Instagram etc. They try these email and password combinations to get access to the accounts of anyone who uses the same password across all websites.

important Recommendations:

  • Don’t use the same password everywhere
  • Be vigilant in checking your account security regularly
  • Don’t use the same password for extended periods of time (2+ years).

The UQ Information and Communication Technology Policy includes password recommendations.

How hacking happens?

Data breaches can occur in a variety of ways, but the common element is someone gains access to a database of user information and either steals or copies and then sells or releases the data.

Brute force

Brute forcing in its simplest form is someone typing in a password of aaaa, aaab, aaac etc until they find the right combination. With today’s technology, a computer can check over 1 million password combinations a second. A lot of websites restrict how many passwords can be tried in a certain time frame before the account is locked or temporarily suspended.

When hackers breach a collection of users’ information, what they find and steal usually isn’t stored in plain text on the system. Instead, the cache of passwords is often converted into cryptographic hashes, random strings of characters into which the passwords have been transformed to prevent them from being misused. It is these hashes that are brute forced to reveal your username and password.

Stopping brute force attacks

You can make it take longer to brute force your password by increasing the length and complexity of your password.

‘Abcdefghijklmnopqrstuvwxyz’ may be long, but it is not complex.

Most password cracking software uses what’s known as a dictionary attack to check popular words or phrases first, such as abc123, trustno1, drowssap, password123 etc

Social engineering

Social engineering can be an effective method for some individuals to access a variety of accounts. Social engineering is the manipulation of people so that they give up personal information about themselves or others. This personal information is then used to access systems the person uses.

video What is Social Engineering? (YouTube, 2m4s):

How to avoid social engineering

  1. Do not use the same email address for every site or service you use online. The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause. For example, don’t use your Gmail address for every service’s password recovery option.
  2. Use different logins for each service. Never use the same password more than once. Make sure your passwords are strong.
  3. Use multi-factor authentication. After you have entered in a correct username and password you are prompted to confirm your identity in another way.
  4. Get creative with security questions. The additional security questions websites ask you to fill in are supposed to be another line of defence, but often these questions are easily guessed or discoverable. You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers.
  5. Frequently monitor your accounts and personal data. Check your account balances to protect against identity theft and credit card fraud. You can use Google Alerts to check if your details have been posted online anywhere.
  6. Avoid falling victim to phishing emails. Phishing emails are becoming harder to detect, and easier to fall victim to.

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Digital Security Copyright © 2023 by The University of Queensland is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.