On June 27, 2022, the Office of the Privacy Commissioner of Canada, along with fellow members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group (IEWG), released guidance documents to help individuals and organizations protect against credential stuffing attacks.
Credential stuffing attacks exploit the tendency of users to reuse their usernames and passwords across multiple platforms. Threat actors use username and password information that was leaked in past data breaches to access other online accounts belonging to the users. These attacks may result in financial or reputational harm for individuals, and cyberbreaches for organizations despite a robust cyber security infrastructure. In its guidance, the IEWG states that hundreds of millions of credential stuffing attacks occur each day and credential stuffing has become a global threat to personal data.
To assist individuals in defending against credential stuffing attacks, the IEWG advises, among other things, that users should:
For organizations, the IEWG discusses (i) implementing password systems and policies that fortify the creation and management process for account passwords; (ii) making MFA an essential security measure in one’s organization; and (iii) using alternatives to traditional accounts setups, such as guest accounts, single sign-on systems, and secondary passwords.
Although these guidelines may not represent legal obligations across all IEWG member jurisdictions, the IEWG intends to raise awareness of the threat of credential stuffing and assist the general public, along with private organizations, in fortifying their personal information practices.
Summary By: Imtiaz Karamat
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.