CYBER CRIME IS ON THE INCREASE
Most readers will be aware that credit bureau, Experian, has just suffered South Africa's largest ever data breach, which they state has now been contained. It seems that they were tricked into handing over the personal details of almost 24 million people to an individual it now calls a fraudster. Given that this number more or less comprises the total number of economically active individuals in the country, it is likely that any reader of this article is among the ‘victims’ of this breach. However, it is still not clear what happened between the end of May – when Experian handed over that data – and mid-August, when that containment actually took place. On Thursday 20 August, Experian confirmed that what it terms "the release" took place on 24 May and 27 May. That was when it handed over data including ID numbers, telephone numbers, and physical and e-mail addresses of more than 23 million individuals and nearly 800,000 businesses to someone who presented themselves as authorized to have that information. As of Thursday, South Africa's largest banks are warning affected and potentially affected customers to exercise heightened vigilance, because that information could be used in identify theft attempts, or to convince people to hand over more information. For all of June, July, and the first two weeks of August, customers were not aware of that possibility though, as Experian first sought to plug the leak. Experian said it had detected the breach on 22 July – 57 days after handing over the data. It seems that the person to whom the data was handed over had impersonated a valid representative of the company and was meanwhile neither an employee nor associated with them in any way. "The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline," the company said in response to questions. "The actual person who was impersonated confirmed that he did not have any dealings with Experian." It immediately started to investigate, Experian said, but needed to ensure that it had the necessary evidence that it needed to apply for a search and seizure order, which it eventually did on 13 August, 79 days after handing over the data. The order was fully executed by 18 August – 84 days after the breach. On 20 August Experian said it believes "that the incident has been contained", after it seized hardware from the suspected fraudster and the data was "secured and deleted". Asked why it believed the data had not been sold or otherwise passed on in three months, the company said: "We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts. Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers”. This illustrates how easily personal sensitive data can fall into the wrong hands and although Experian is downplaying the seriousness of the breach and might be able to escape liability claims from ‘victims’, it will undoubtedly have cost them (or their Cyber risk insurer) millions of Rand's to investigate and contain the breach, identify the perpetrator and bring charges against him/her. This is a company which would have had state-of-the-art cyber security and yet still became a victim of fraud which goes to show that awareness and vigilance are paramount when it comes to protection of personal information. Curiously, this data breach arises just as the Protection of Personal Information (POPI) Act has come into force, carrying hefty fines. A one-year grace period has been granted for organisations to become fully compliant by 1 July 2021, after which there will be no place to hide. Banks are expected to communicate with their customers to explain how to protect their personal information. The South African Banking Risk Centre (SABRIC) has issued a statement advising banking clients on steps to take to secure their personal information. The breach of data potentially allows criminals to impersonate banking customers, but this does not automatically mean they have access to banking accounts unless customers are tricked into disclosing confidential banking information. SABRIC’s statement advises the following precautionary steps:
Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.
Change your password regularly and never share them with anyone else.
Verify all requests for personal information and only provide it when there is a legitimate reason to do so.
African Bank has confirmed that some of its customers’ data has been stolen from the Experian platform. “The breach of data means that certain customers’ personal information, including the likes of identity numbers, cell numbers etc. has been compromised. The compromise of personal information can create opportunities for criminals to impersonate an individual but does not provide access to a customers’ banking account or details,” says African Bank in a statement. Banks are warning customers to remain aware that fraudsters can impersonate a bank and contact customers and pretend to be their bank since they may know their ID and their cell numbers. All banking customers are urged to remain vigilant against possible fraud and to never disclose user-names, passwords, Pins or One Time Pins (Opts) when asked to do so by anyone via telephone, fax, text messages or even email, no matter how believable they might appear to be, and to change passwords regularly and never share them with anyone. This is an exponentially growing threat and SA, despite its relatively small population, is among the top 5 for number of cyber attacks internationally. The POPI Act is not something to be taken lightly and compliance with its requirements, whilst fairly onerous, should ensure that businesses are reasonably well protected against liabilities for a data breach. However, as can be seen from the Experian episode, things can and do go wrong and any business which holds customers’ sensitive information is a potential target for cyber fraudsters and hackers and should consider taking out Cyber Risk cover. We, at Majestic, can offer cover from all the leading insurers in this field. Author’s Note: The recommendations contained in this article are of a generic nature and should not be considered as “advice” as defined in the FAIS Act of 2002. Acknowledgement for a part of this article to Phillip de Wet of Business Insider SA