In my opinion | Don’t panic!
Colleague Boudewijn van Dongen received an e-mail from the TU/e security colleagues as he described in his column of June 29. He received 'a panicked email' after an alert was received that his personal data was leaked at a data breach. Let me reassure you that our security colleagues were not at all panicked and are not easily panicked by these kind of alerts, but we do take them seriously!
Like other organizations we use the website Have I Been Pwned to check and receive alerts when e-mail addresses of the TU/e are part of reported data breaches. So far this year, we received alerts on 9 external data breaches through this service involving a bit more than 250 TU/e e-mail addresses. Last year, it was 12 alerts in total involving just over 100 e-mail addresses.
Being part of a data breach with your personal or work related data poses some risks. The (personal) data that is collected is likely to be used to create user profiles which are used for phishing or social engineering attacks. The better the user profile the more effective the phishing or social engineering attack, the higher the chances of breaching an account to get access to an organization or personal account.
Now, as said, there is no reason to panic. We all know that panic is a bad advisor, same as with fear by the way. So, take a deep breath and memorize the following.
Never ever reuse a password! Create a separate password for each and every account you have. There are plenty and enough guidelines out there on how to create a safe password. Most easy is probably to use a long enough sentence you can remember easily for your most important accounts. You can store it in (or use) a password manager or write it down in a personal booklet (and no, not on a sticky note pasted to your monitor or laptop).
Enable MFA (Multi Factor Authentication) where possible. It is enabled for most of the TU/e applications and systems by now and it is used as a second factor next to your password. Use MFA as much as possible also for your other work related or personal accounts. In the past we have seen student’s and employee's accounts within the TU/e being compromised, sometimes with huge impact to their life. We aim to help protect against these attacks. MFA is a big help, but TU/e MFA does not help protect your personal accounts without MFA where many people still reuse passwords.
Be careful with unexpected messages and phone calls. Check unexpected e-mails for the signs of phishing (check the senders e-mail address, check any links in the message by hovering over the link with the pointer, is there any urgency in the message?).
The same accounts for unexpected phone calls with urgent requests. Just hang up. If you receive a payment request from someone you do know, check with that person whether he or she actually sent it to you. Use a different means to contact that person to ensure you are not connecting with the criminal. Did you receive a phishing e-mail? Please forward it, as attachment, to abuse@ or use the Report Abuse Button in Outlook. tue.nl
If you received a scam call and shared more information than you would have wanted, please raise a data breach report through the Selfserviceportal and notify the Dutch police.
Martin de Vries is the Chief Information Security Officer of TU/e.
Main photo | Anyaberkut / iStock