Learn more about investing with interesting stories and articles.

The new, everyday reality of data breaches, and how you can protect yourself

Posted by Nancy Hall-Chapman March 29, 2019 • 6 min read

Share to Facebook Share to Twitter Share with Email
  • Data breaches are an everyday reality in today’s online world
  • Having a strong password isn’t enough
  • Multiple layers of authentication can keep your information more secure
a woman looking at her phone with concern

Once upon a time, all you needed to do to keep your online information secure was to set a strong password and avoid clicking links from suspicious-looking emails. Stories about data breaches cropped up from time to time, but not every week. The likelihood of your personal and financial account information being compromised or, worse, you becoming a victim of identity theft seemed remote—something that might happen to other people, but not you.

Wake up to the new reality of data breaches:

  • Last year, the number of data breaches hit an all-time high, affecting millions of accounts and users. Everyone’s familiar with the Facebook breach which affected 29 million users, but there were many others: Marriott Starwood hotels (500 million users), Google+ (52.5 million users), Timehop (21 million users), to name a few.
  • From 2013 to today, the number of data records lost or stolen worldwide totals 14,717,618,286—that’s over 6 million lost or stolen every day. And these numbers are rising: the total number of data records breached in the first half of 2018 was 3,353,172,708—a 72% increase over the same period in 2017.
  • One in three people who experience a data breach will become a victim of identity theft—meaning someone will use that person’s personal information to take over their account or to open new accounts in that person’s name

With these numbers, it’s hard to feel complacent about the security of your online information. On the other hand, the sheer number of data breaches may make you feel desensitized to it all—or have you throwing up your hands at an overwhelming reality that seems out of your control.

The good news is, steps are being taken to deal with data protection at a governmental level. For example, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how companies collect, use, and disclose their customers’ personal information for business. And recently, the Digital Privacy Act was enacted to impose a new set of obligations on companies to inform individuals if their personal information has been lost, stolen, or inappropriately accessed, placing them at risk of harm. At the corporate level, many companies have adopted, and continue to develop, a layered approach combining multiple firewalls and data encryption to ensure the security of your information. See Questrade’s Privacy Policy (under Security) for more details on the security measures we have in place. However, ensuring your safety and security is a shared responsibility.

You are who you say you are: setting up layered authentication to access your online information

Layered, or multi-factor authentication (MFA), is the modern approach—ensuring no one but you, or people authorized by you, can access your online accounts. MFA uses a combination of credentials:

What you know (your password)
What you have (your phone)
Who you are (your fingerprint or face)

On their own, each of these credentials is not completely effective for authenticating users. But when combined, they can be very secure.


There was a time when setting up a strong password ensured no one could access your online account. But now, in an era where one person could have over 100 different logins, using the same password for every login carries enormous risk. User-created passwords are still a standard login credential, so it’s important to follow these best practices when you create one:

  • Make your password complex—“easy to remember, hard to guess.” The current recommendations are at least 16 characters long and a mix of uppercase and lowercase letters, numbers, and symbols.
  • Do not reuse passwords. Create a different complex password for each of the online sites you access
  • Change each of your passwords at least once every 180 days (6 months).

Maintaining your passwords sounds like a tall order. It’s time-consuming, inconvenient, and difficult to remember. However, user-created passwords are the most easily accessed by a hacker and therefore most vulnerable to a data breach. So it’s worth taking some extra time to make your passwords as bullet-proof as possible. A password manager app for storing and managing your passwords can help with this, but you need to do your research to make sure the app itself is fully secure.

2-step verification (2SV)

2SV is an extra layer of security you can set up to use, along with your other credentials, when you log in to your account. With 2SV, a time-sensitive verification code is sent to you, either as SMS text to your mobile phone or by email. You enter this code, along with your user ID and password, to access your account. Learn how easy it is to set up 2SV for your Questrade account.

If you have 2SV enabled and there’s an unauthorized attempt to log in to your account, 2SV will block the attempt. You’ll receive a message with the verification code, your first clue that there may have been an attempted security breach of your account. This is helpful, because the sooner you’re alerted to suspicious activity with your account, the sooner you can contact Questrade Information Security to investigate the incident.

Biometric ID (fingerprint, touch, or face ID)

This is an added layer to safeguard your information—a unique characteristic such as your fingerprint, eye patterns, or facial features you use to identify yourself when you log in to a computer or secured site. If you have biometric ID set up on your mobile device, you can also set this up on the Questrade app so you can log in to your account using your fingerprint or other biometric data. Learn how to set this up.

Keeping tabs on your online activity

When it comes to security breaches, time is of the essence to report a possible breach. So it’s important to regularly review your account activity, monthly statements, and trade confirmations. Familiarize yourself with this information so that you can pick up quickly on any unusual transactions or amounts.

Automated alerts are a great way to stay on top of your account. At Questrade, you receive email alerts to let you know when your account has been logged into from a different device, location, or browser. Learn more about last login alerts.

If you have a Questrade trading account, you can set up trade confirmation alerts, so that you can view all orders that are initiated from your account. Learn more.

If you do suspect there has been unauthorized activity in your account, change your password immediately and contact Questrade Information Security. Learn more about reporting a suspicious activity or breach.

Online security may be the last thing you want to think about, but data breaches do happen and they can affect many. Recognize that reality--then take the steps you need to protect and monitor your personal and financial data.

If you enjoyed this post, please consider sharing it on Facebook or Twitter!

P.S. We’d love to meet you on Twitter or on Facebook

The information in this blog is for information purposes only and should not be used or construed as financial or investment advice by any individual. Information obtained from third parties is believed to be reliable, but no representations or warranty, expressed or implied is made by Questrade, Inc., its affiliates or any other person to its accuracy.