Data of 30 million breached
In October, South Africans and the world learned that personal data of at least 30 million people were breached. Even data of deceased people was leaked. It is said to be the largest leak of private citizens’ data in the country’s history. Toby Shapshack, publisher of tech-focused Stuff Magazine, says people should panic. “The data may be five years old but our ID numbers remain the same. Furthermore, our employment history also remains the same and these are the sort of things that make it possible to create fake identities. It is a serious problem and I'm not being paranoid.”
More than half of the country affected
The information contained in a 27GB file was discovered by Australian-based internet security expert Troy Hunt earlier. It contains names, full identity numbers, income, gender, employment history, contact numbers and even home addresses. South Africa's population is about 55 million, so more than half of the country is affected by what has been described as the country's worst leak of private data.
Bank accounts and identities are vulnerable
Stolen personal information – especially when dealing with numbers as big as this case – can be used to steal bank accounts, and opens up an opportunity for identity theft. “Cybercriminals are no different from thieves who break into homes – they just operate on a much larger scale”, says Marty Kamden at ITNewAfrica.com. “Therefore, they are even more dangerous. Governments still struggle with solutions for such massive-scale hacks, so our advice is for people to take their privacy into their own hands.”
"With the vast amount of data available on information security threats, there is no excuse for ignorance or inactivity"
Both tech and people are the problem
On top of that, research shows that people and processes are as much the problem as technology. "With the vast amount of data available on information security threats, there is no excuse for ignorance or inactivity," says Arthur Goldstuck, managing director of World Wide Worx. "Yet, that's what we still see in a small but significant number of corporations. At the very least, any sizeable company should have a set of security measures, protocols and responses that is as much part of the company's DNA as is its marketing strategy or legal compliance policy."
“Security is not just about technology. As the research shows, the decisions and behaviours of people will impact the integrity of a business. Smart organisations enable, do not restrict their employees allowing them to thrive, as well as adapt processes and transform operations to succeed. Forward thinking organisations understand that reactive security is no longer a suitable method for protecting applications and data,” concluded Kibby. “By taking a software-defined approach to IT that embeds security into the applications and network, these businesses have gained the flexibility required to both secure and succeed as a digital business.”
Why is no one panicking?
Mr. Goldstuck agrees with Mr. Shapshack that South Africans should be panicking about this breach, but also that the internet security flaws and data breaches in SA can and will get worse in the coming years. Mr. Goldstuck in his article: “The fact that banks have not gone into crisis mode holds another message: for now, the public is almost on its own when it comes to identity theft. What can South African banks do? For one thing, they need to put in place additional systems aimed at preventing illegal access or changes to accounts. For another, they could mount massive education campaigns. But one has to look hard for such initiatives.”
They simply don’t recognize it
Another alarming thing about online security, is the lack of knowledge among employees. “Working with resellers and end-users to provide security solutions, we found the biggest problem was lack of knowledge,” says Henk Olivier, managing director of Ozone. “Not because they don’t want to pay attention to internet security, but because of a lack of knowledge of even where to start.”
Will PoPI in South Africa fight Data Breaches?
The Protection of Personal Information Act (PoPI) should regulate the way businesses process and handle privacy and personal information. The act ensures all South African organisations behave responsibly when it comes to collecting, processing, storing and sharing personal information. It considers personal information to be ‘precious goods’. Some parts of the PoPI are already in effect, however the majority of the law will be effective later. Many countries are setting up new regulations to improve processing of personal information. In Europe, the General Data Protection Regulation (GDPR) will take effect in 2018.
"Alarming is to see the number of organisations in SA who do not use MFA"
Data breach knocks of 350 million dollars off Yahoo purchase
Yahoo! learnt the hard way that data breaches costs money, long after the breach was discovered and contained. “We easily forget the cost of not authenticating and verifying someone’s identity”, explains Stewart Mackay, working with mobile messaging and online security specialist CM.com in Cape Town. “Verizon knocked off 350 million dollars off the Yahoo! purchase after their data security breach, while IBM estimates that the average cost is about 3,5 million dollars. Multi-factor authentication, or MFA, is a must, but there will always be a trade-off between ensuring necessary security and providing the ease-of-use for the employee or customer.”
Mr. Mackay continues: “What’s more alarming is to see the number of organisations in SA who do not use MFA (also known as two-factor authentication) – not just at transaction level, but also for login authentication, leaving system access wide open.”
Don't panick, secure your online environment
Securing your online environment and intranet is no longer just a commodity. In these times, it's an absolute necessity, as data breaches are vast, recurring and cost more than simply securing log-in sessions, bot in the long term as in the short term. Staying ahead of cyber crime is priority number 1!
How to secure your data and prevent fraud:
- Use only ‘https’, a secure protocol that encrypts data
- Implement two-factor authentication, an extra layer of security when logging in
- Avoid downloading files
- Change your passwords on a monthly basis
- Offer number verification to prevent card cloning