I’m being held for ransom.
My information is, at least. That’s what my bank told the media this week.
I’m one of the 90,000 Canadians whose information was hacked by what appears to be Russian-based online thieves.
According to media reports, an email from the hackers was sent to the two banks compromised, BMO and CIBC’s Simplii. The thieves demanded $1 million for the safe return of our personal information, sharing just enough information to give the threat credibility. The price tag actually sounds pretty low to me, and I can’t decide if I think it’s a reflection on the maturity of the hackers or a commentary on the true value of such information.
The hackers claim to know my name, my bank account number, my password, my AirMiles information, and my account balance. I don’t use that password or security questions anywhere else, so I feel it’s a limited risk. The account balance would be embarrassingly low if it were revealed. They can have my AirMiles; I maybe earn a free movie every two years. My name has even changed (thanks for the reminder I hadn’t updated that detail with the bank!). So yeah, maybe $1 million is a fair ransom if the other 89,999 folks have similar lives to mine.
But the hackers also claim to have my social insurance number and are willing to sell it off to someone who might try to do something more malicious with it. And that is a risk I take seriously. I know that I currently have an excellent credit score; that’s a valuable commodity that could be manipulated in a way that could turn my life upside down.
But it’s also something that has already been stolen once this month.
Yes, this week’s phone call from the bank was the second notice I’d received of a breach regarding my information in May. An employer had a piece of computer equipment stolen that might contain personal banking information, too. Both the employer and the bank are offering a free year of credit monitoring, for which I’m grateful. But then again, it’s with Equifax, which was itself the victim of a massive data breach last year.
So really, where does this leave me?
I’m not sitting here worried about what might happen, but I am changing passwords and checking to see if anyone is trying to get a loan or credit card in my name. I’m looking into insurance that covers legal fees in the event someone does steal my identity. I’m sharing my story so more folks will stop and think about the trust we’ve placed in each other.
Because that’s what this boils down to, really. We’ve trusted each other to create and maintain systems that keep our information secure. And just as easily as someone creates a program, someone else finds a way to breach it. So the question is: do we keep trusting each other– our financial institutions, our government, our social media companies – with sensitive information? What is our alternative?
We’ve created a world in which we want immediate access to everything and to have that we need to accept some risk in our lives. We need to demand the best from the organizations we trust, but we also need to demand the best from ourselves in understanding what we’re sharing, why we’re sharing it, and making more informed decisions about when and where it’s necessary. The silver lining in this tale may be the speed at which the banks went public with the issue, a positive shift from the former hush-hush nature of such attacks.