Latest news with #KnowledgeFlow
CBC
2 days ago
- Business
- CBC
Your SIN is a 'master key.' Here's why you must protect it
Dave has learned the hard way that you don't want the wrong person getting a hold of your social insurance number. In 2024, he became a victim of identity fraud. Someone used his SIN to open a bank account and get their hands on some quick cash. And while he didn't lose any of his own money, his credit score tanked for a period. "The most frustrating part was being told, 'Hey, there isn't much we could do about this. Your information is on the dark web. It will be used again.' And months later, it was used again," Dave, of Laval, Que., told Cost of Living. Dave isn't his real name. CBC has agreed to identify him by a pseudonym, as police have told him that further exposing his identity could lead to more challenges. Dave was one of 4.2 million Desjardins customers that had their data leaked in 2019. And they aren't the only victims. Over the past few years, customers with Sobeys, Ticketmaster, London Drugs, Nova Scotia Power and the Canada Revenue Agency, to name a few, have had their data breached. And since more businesses and organizations have started asking for social insurance numbers, experts are cautioning people to be very selective about who they share their SIN with. "It's the most sensitive, secret and unique identifier. Essentially, it's the master key to our identity in Canada," said Claudiu Popa, co-founder of KnowledgeFlow Cybersafety Foundation, which advocates for online safety for Canadians. SINs The social insurance number was created with the launch of the Canadian Pension Plan in the 1960s and used to track who was eligible, as well as for various employment insurance programs. According to Popa, there aren't many places that actually need to know it. A new employer needs your SIN, as does your bank and some government agencies, like the CRA. But more organizations are asking for people's SINs. Popa says that includes gyms, landlords, insurance companies and schools. He says none of these places need your SIN, but that doesn't stop them from asking. That's because it's an easy way to check someone's credit with a unique number. But some companies are also using it as an identifier for customers. "It has just become a lazy way of uniquely identifying people, and unfortunately it places people at the risk of privacy breaches," said Popa. So what do you do if someone asks for your SIN? Just say no. But as the cliché goes, that's easier written into a CBC article than done in real life. Just ask Greg Pace. When Pace made a major career change from an RCMP officer to a farmer, he figured it was a good idea to take some classes to gain more knowledge about the new field. But midway through the government-sponsored classes, someone from the program pulled him aside and informed him he hadn't put his SIN in his paperwork. "I felt there was a lot of social pressure to comply. And yet I knew it wasn't the right ask — that they were, I felt, overstepping," said Pace. Pace, whose background as an RCMP officer taught him to be wary of sharing personal information, asked why, but wasn't given a reason. So he refused, and when it became obvious he was no longer welcome, he left the course. Compromised What makes the social insurance number so valuable to fraudsters, compared to a credit card number or bank password? Popa says it's because, unlike other pieces of information, it isn't easy to change. Dave knows that all too well. Just in the past year, fraudsters have tried to open two different bank accounts in his name and have bought multiple iPhones online. And the onslaught of fraud came just as Desjardins' offer of free credit monitoring was running out. It's taken Dave a lot of time to talk to banks, credit bureaus and police to get it all straightened out each time. And it's not just a hassle. It can tank his credit score. "To know that somebody could use … your information in a fraudulent manner, something that you worked so hard to build, is extremely frustrating," said Dave. Since the Desjardins breach, some have requested new SINs. But that doesn't happen often. It requires proof that the number has been used in fraud, not just that the information has been leaked. And fraudsters are clever, Popa says. They'll often wait until their victims' credit monitoring has run out, which is usually public information. In an email to CBC, Employment and Social Development Canada (ESDC) says it takes steps to protect people from having their SIN compromised, including awareness campaigns, fraud prevention resources and secure application processes. It says that if your number is compromised, you should file a police report, notify the Canadian Anti-Fraud Centre, contact a credit bureau and report it to any affected government programs. It doesn't, however, recommend applying for a new SIN. "Having multiple SINs can increase fraud risk. Getting a new SIN does not erase the old SIN and does not protect it from future abuse," said ESDC spokesperson Saskia Rodenburg. A different method? There is another potential solution: digital IDs. This system would allow you to share only what you want to share and nothing else. "You might have something like a digital wallet that's in your phone, or in your smart tablet," said Joni Brennan, president of the non-profit Digital ID and Authentication Council of Canada. One piece of information on the ID could be your verified income, for example, which you would be able to share with whichever person or organization that requires it. This way, she says, you could share only the information that's necessary, or that you want to share. Some regions are taking the necessary steps, like B.C., but don't expect a Canada-wide digital ID anytime soon. That's because provinces have a lot of jurisdiction over credentials. And as that progresses, Brennan says finding ways to protect our SIN needs to be an ongoing conversation. "As we see, new technologies come forward that might create new ways for bad folks to do bad things, [so] the space that's focused on security and protection and privacy needs to continue to evolve, as well."
CTV News
29-05-2025
- Business
- CTV News
Thieves gain access to about 140,000 social insurance numbers in NS Power database
Peter Gregg, CEO of Nova Scotia Power, makes an appearance before the Nova Scotia legislature's law amendments committee in Halifax on Monday, Oct. 31, 2022. THE CANADIAN PRESS/Keith Doucette HALIFAX — Nova Scotia Power's CEO says up to 140,000 social insurance numbers could have been stolen by cyber-thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview today that the privately owned utility collected the numbers from customers to authenticate their identities. He says social insurance numbers were in about half of the 280,000 customer records breached by cyber-criminals and released onto the dark web. The breach was first reported in late April. Cybersecurity expert Claudiu Popa says it's worth asking why the company would need this kind of personal information. The founder of the non-profit group KnowledgeFlow says there are less risky ways of identifying customers. The federal government's website says each nine-digit number represents a unique identifier for work applications and government records, and it advises people not to share the number unless it's legally required. Thieves can use the number to commit fraud, such as illegally accessing government benefits and tax refunds. This report by The Canadian Press was first published May 29, 2025.
Global News
29-05-2025
- Business
- Global News
Thieves gain access to about 140,000 social insurance numbers in NS Power database
Nova Scotia Power's CEO says up to 140,000 social insurance numbers could have been stolen by cyber-thieves who recently hacked into the utility's customer records. Peter Gregg said in an interview Thursday that the privately owned utility collected the numbers from customers to authenticate their identities. 'If there are a number of John MacDonalds, it (the social insurance number) determines which one we (the utility) are talking to,' Gregg said during the interview at the Halifax headquarters of the Emera subsidiary. On May 23, Gregg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack — more than half of the total. Asked Thursday how many of these records contained the confidential, nine-digit social insurance numbers, Gregg replied, 'approximately half.' Cybersecurity expert Claudiu Popa questions why a utility would need to keep this kind of data about customers for customer authentication purposes. Story continues below advertisement The founder of the non-profit group KnowledgeFlow says there are less risky ways to identify customers with similar names than to store their social insurance numbers. Get breaking National news For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen. Sign up for breaking National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy 'It clearly states on government websites that using one of a person's most confidential identifiers is not the recommended approach to identifying individuals,' he said in an interview Thursday. The federal government's website says the numbers are for work applications and government records, and it advises people not to share them unless it's legally required. It also notes that thieves can use the numbers to commit fraud, including attempting to access government benefits and tax refunds. 'There's an almost infinite number of ways that these numbers can be used in fraud,' said Popa. Gregg said that the social insurance numbers weren't required from its customers, and they offered them voluntarily. The breach of the customer records was first reported in late April, and the company later indicated the first breach was detected in mid March. Popa has said the company should by now have provided more precise information to each customer about what personal data was stolen, and given explicit warnings about potential harm. Gregg said that more details will be provided as IT staff and other cybersecurity consultants continue working to obtain the information. Story continues below advertisement 'We want to be careful to say what we know and not what we think,' he said. 'As we get deeper into the investigation and we are able to confirm details, that information will be shared with our customers.' This report by The Canadian Press was first published May 29, 2025.
