Cyber Security

Less than two months after the commencement of the Protection of Personal Information Act (POPIA), South Africa was affected by a massive data breach.

Experian, a consumer, business and credit information services agency, said on 19 August that it had “experienced a breach of data which has exposed some personal information of as many as 24 million South Africans, and 793,749 business entities, to a suspected fraudster”.

What does all of this mean for you or your company and how can you avoid becoming a victim?

“Cyber-Security is much more than a matter of IT.” (Stéphane Nappo, 2018 Global Chief Information Security Officer of the year)

According to official communications from Experian, a consumer, business and credit information services agency, an individual in South Africa claiming to represent a legitimate client fraudulently requested services from it and was simply given the  personal information of clients including cell phone numbers; home phone numbers; work phone numbers; employment details; and identity numbers. Information was also leaked for 793,749 business entities and included: names of the companies; contact details; VAT numbers; and banking details. Experian said that the data had then been placed on a third-party data sharing site on the internet, but added that subsequently that third party had “disabled the links” and that the data had “been removed” after Experian was successful in obtaining and executing an Anton Piller order. This does not, however, mean that the danger is over.

Steps to take to protect yourself and your business

While the breach has been reported to authorities, and South African banks have been working with Experian and the South African Banking Risk Centre (Sabric) to identify which of their customers may have been exposed to the breach and to protect their personal information, the investigation has not yet been concluded. As a result businesses are advised to take numerous steps to prevent any damage that may result from the leak.

The first thing to do is to simply not panic. Despite how bad it sounds the breach does have one very clear silver-lining.

“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts,” said CEO of the South African Banking Risk Information Centre (SABRIC), Nischal Mewalall.  “However, criminals can use this information to trick you into disclosing your confidential banking details.”

What this means is that you, and the staff who have access to your finances and accounts need to be extremely vigilant when it comes to dealing with phone calls from people claiming to be from banks and financial institutions, or who are eager to get additional details or sell you services that may require you to divulge any further personal information.

The Southern African Fraud Preventions Services (SAFPS) has advised companies and individuals to take the following precautionary measures:

• Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.

• Change your passwords regularly and never share them with anyone else.

• Verify all requests for personal information and only provide it when there is a legitimate reason to do so.

Experian themselves take this advice further, suggesting that anyone who is afraid they may have been affected to “Visit their online bank and financial accounts, and set up any alert features they may have, if they have not already done so. This could help save some time and keep them notified of any unusual events when they occur”.

The company also recommends that everyone checks their credit report as regularly as possible.

“You can check your credit report for free once every twelve months by visiting AnnualCreditReport.com. Checking your credit report can help you identify any unusual activity, such as new accounts, new personal information or inquiries,” says Experian CEO, Brian Cassin.

Additionally, should you suspect that your identity has been compromised, notify your bank and apply immediately for a free Protective Registration listing with SAFPS. This service alerts SAFPS members, including banks and credit providers that your identity has been compromised and additional care must be taken to confirm they are transacting with the legitimate identity holder.

Consumers wanting to apply for a Protective Registration can email SAFPS at protection@safps.org.za.