As many as 24 million South Africans and almost 800 000 businesses may have been affected by a major data breach to hit credit bureau Experian.
A fraudster posing as a client of the credit bureau gained access to the details via social engineering, rather than hacking. The attacker’s success shows how easy it is for cyber criminals to execute unlawful events, despite constant reminders from cyber security providers to put comprehensive measures in place to minimise the risk of attack.
South African banks are in the process of working with Experian to determine which of their clients’ data has been exposed. By law banks have to disclose details of customers who have credit with them to three credit bureaus, including Experian.
In response to the incident, Experian has issued a statement saying its investigations indicate the misappropriated data hasn’t been used for fraudulent purposes. Also, no consumer credit or consumer financial information such as banking details were obtained.
However, a breach of basic personal information such as ID numbers, phone numbers and addresses can still lead to the possibility of impersonation. The South African Banking Risk Centre warns that attackers can use personal information to trick you into disclosing your confidential banking details, so extra vigilance is required when opening emails, and responding to them.
What does it say about the state of data protection in SA?
On hearing this news South Africans may well feel violated. If you’ve borrowed money or entered into any formal financial transaction, Experian is likely to hold information about you such as your personal details and financial history.
Experian also holds rental information, all the addresses you may be, or have been, linked to, electoral role information, credit details and details of public orders. We can request this data about ourselves, but do we have the certainty that it’s being kept securely?
The other question is: if large corporate enterprises don’t have state-of-the-art cyber security measures in place then how are small businesses faring in terms of their efforts towards data protection?
No business is too small to face a breach – each one needs cyber protection to protect itself against a disaster of this kind, not only in the interests of upholding its reputation, but in safeguarding its systems and protecting the valuable personal information of the people it holds.
Here at IronTree we eagerly await the rollout of the Protection of Personal Information Act (POPIA), South Africa’s equivalent of the EU’s GDPR, which will see each one of us empowered to control the destiny of our personal data.
IronTree is hard at work, working with the appropriate partners to ensure education and protection happens for businesses and individuals, so watch this space.
In the meantime, talk to us, and let’s tailor a data protection plan for your business.