In the past two weeks 90,000 Canadians had their information stolen after BMO and CIBC were hacked, and the FBI warned Russian malware had infected hundreds of thousands of routers across the globe.
It begs the question: how safe is the information we so freely handout?
“If you’re a savvy computer user, internet user, you have to treat everything you put online as public domain, which it is. It can be scraped and manipulated in a million ways, everyone should be careful,” Gabe Ignatow, a professor of sociology at the University of North Texas said.
Part of his research includes collecting ideas, using a process called text mining. Ignatow uses open-source programs to “crawl” through public Facebook pages, Twitter profiles, and other social networking sites to gather people’s “true ideas.”
“All that data is available online in a million different kinds of digital archives, and the technology for acquiring and analyzing that data is pretty easy to get. It’s inexpensive and it’s widely available,” he explained.
Although Ignatow uses the data he collects for academic purposes, there are other, more nefarious uses.
“A lot of hacking doesn’t rely on the old 1970’s brute-force hacking. A lot of it is dependent on what we call social engineering. The idea that you convince someone that’s a gatekeeper that you have enough information to allow them to let you in,” University of Regina information and communication technology professor Alec Couros said.
“Every bit of information that you provide adds to a package of what hackers can find about you. If they can find a lot of information on social media: your age, your address, license plates; anything that shows up in a photo, and they also add the more delicate information like a social insurance number, these things can put you at risk,” he continued.
Despite the growing threat, it is still common place for companies to ask for private information like a Social Insurance Number when applying for housing, opening a bank account, or even purchasing a new cellphone service.
“We ask for our customers to provide when they’re setting up services with us so that we can do a credit check on them to see what their credit history is like,” Greg Jacobs, SaskTel’s External Communications Manager said.
“It’s a form of protecting their investment, and helping them make an investment decision,” Nadine Johnson, the Programs Operations Manager for the Office of Residential Tenancies added.
“Typically a landlord wants to bring on a tenant that will pay their rent, that will not be a nuisance to their neighbours and that will respect their property. The information that they collect would direct the landlord,” she continued.
But experts say to use caution when handing that information out, particularly to smaller businesses that may not have the security necessary to protect it.
“Many smaller companies don’t have established practices in terms of how they keep information. When someone asks you “Do you mind giving your information over the phone, or that I can write it down, or do you want me to email it?” You have to be very cautious in all of these cases because they may not be handling your information very well,” Couros noted.
Although customers have the right to deny giving businesses access to that information, businesses can turn them away as a result.
If the customer agrees to share their Social Insurance Number, the data is typically given to a third-party company to run a credit check.
But even those financial giants are suspect to cyber-attacks.
In September 2017, credit company Equifax was hacked and 146.3 million people across the United States, Canada, and the United Kingdom had their information stolen.
“The vast majority of people in a large or small institution don’t understand cyber-security from a technical perspective, or a social perspective. We have to be very careful with that,” Couros cautioned.
“More people need to understand the risk, more people need to understand what it means to have a casual practice in terms of taking information,” he added.
SaskTel noted that “we take the privacy of our customer’s information very seriously and do our best so that it remains private to them and secure, so we have a number of private security measures in place to protect that.”
Jacobs added that he could not divulge the methods they use to protect the data as it could compromise their security measures.
It’s not illegal for companies in Canada to ask for someone’s Social Insurance Number, but there are only a handful of instances where it’s required. The federal government has created a helpful list, but most instances where it’s required are for taxation or social assistance purposes.
“Our office has long held the position that the SIN should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes,” the Office of the Privacy Commissioner of Canada said in an emailed statement.
“Organizations that collect SIN should employ strong security safeguards to protect them,” it continued.
Canadian companies are required to “protect the personal information entrusted to them with appropriate security safeguards relative to the sensitivity of the information” but experts still recommend not giving out your social insurance number, and minimizing the amount of personal information you post online.
“There’s much more information about everyone of us on the internet, on the Deep Web, than we even understand. I think we’re much more exposed than we possibly think,” Couros concluded.