“GOOD Morning Minister. I have instructed FNB to remove the video clips from their website this morning. I will investigate how and why the clips ended (up) on their website. Sincere apologies for this. Sizwe.”
This was probably one SMS that FirstRand chief executive Sizwe Nxasana dreaded reading on the front page of the Sunday Times, South Africa’s biggest-selling weekend paper.
This week neither FirstRand nor the Department of Basic Education, whose minister – Angie Motshekga – was the recipient of the SMS, could explain how the private communication fell into the hands of the Sunday Times.
Sam Moss, FirstRand’s head of investor relations, said in an e-mail from Asia, where the group’s senior executives are on a roadshow: “We are not commenting any further on this issue.”
Panyaza Lesufi, Motshekga’s spokesman, said the Basic Education Department’s internal risk team was conducting an investigation.
Experts who have commented on the possible methods for hacking into cellphones said in this case there was a strong possibility that someone from either Nxasana or Motshekga’s staff had leaked the text message to the Sunday Times.
Arthur Goldstuck, the managing director of World Wide Worx, a technology research and advisory firm, said it was very likely that the Sunday Times had not hacked into Nxasana or Motshekga’s phones or employed people to do so, because the editor and authors of the story would be susceptible to criminal prosecution if found liable.
“You mess with that kind of thing, you mess with the future of your publication. Chances are that it was a leak by a member of the minister’s staff,” Goldstuck said.
S’thembiso Msomi, the managing editor for politics at the Sunday Times, said: “We believe the Sunday Times acted ethically in that it verified the authenticity of the SMS with minister Motshekga’s office, which acknowledged that the minister had received the SMS but refused to comment further on the matter. Attempts were also made to get hold of Mr Nxasana but his office referred the Sunday Times to FNB, which commented through its spokesperson.”
Msomi added that the paper “did not hack into people’s phones”.
“You would appreciate the importance of protecting confidential sources of information, so we are unable to reveal further details of how the SMS was obtained.”
He said the newspaper had not been approached by the minister’s office or FirstRand in relation to an investigation.
In 2011, it was revealed that News International, a newspaper owned by media mogul Rupert Murdoch’s News Corporation, had over a period hacked into the cellphones of a murdered British schoolgirl, celebrities, politicians and members of the British Royal family.
The scandal, dubbed Hackgate, Rupertgate and Murdochgate, led to the closure of the paper, the abandonment of a massive deal for its parent company, arrests of senior figures in the company and newspaper, and high-profile resignations within British politics and the police.
Goldstuck said in this case the perpetrators had used “password tracker” to obtain passwords to access the voicemail of their victims.
Grant Brown, a security specialist at Symantec, which provides security software globally, said there were less complicated methods in which an SMS could end up in the wrong hands.
These included the erroneous transfer of the SMS to an unintended recipient or gaining access to a cellphone that was not password-locked.
Alternatively, someone could approach a contact in one of the network service providers. Brown said transmission was possible via wireless access. “Any data sent in an unsecured wireless access point can be read.”
He said that iMessage and WhatsApp were examples of messaging services that did not use an encryption protocol.
It is possible to clone a SIM card and, if using a 3G data device, these messages can automatically load onto a computer screen once the modem is plugged into the computer.
Brown said spyware could be loaded onto a cellphone. The spyware could take photographs and record sound without the knowledge of the user.
He also cited “social engineering”, in which someone pretended to be a government official or some other authority and sent a legitimate-looking e-mail that would install the application.
Brown said that recently some cellphone users were fooled into downloading an application that would convert the phone into a solar-powered energy-saving device if the owner downloaded the application and afterwards tilted the phone towards the sun.
“They didn’t realise that the app was collecting all sorts of information in the background,” he added.
According to Kaspersky Lab, a global antivirus security software provider, last year there was “explosive growth” in the interception of cellphone data via malicious software.
Cybercriminals particularly targeted cellphones operating on the Android platform.
Kaspersky forecast that this year could present “an alarming trend” in “drive-by download” attacks on cellphones and other cellphone devices.
“This means that personal and corporate data stored on smartphones and tablets will be targeted as frequently as it is targeted on traditional computers. New sophisticated attacks will be performed against owners of Apple devices as well,” the company said.
A telecoms industry insider said cellphone network operators could intercept cellphone communications only if instructed by a judge and they could not store SMSs.
Peter Fryer, a director of Pretoria-based Risk Diversion, which specialises in cellphone and mobile device forensics, said the Regulation of Interception of Communications Act clearly stipulated that interception could be conducted only by law enforcement agencies where there was suspicion of a crime being committed or where an emergency had occurred.
“Within the context of business, there is an allowance for interception.” Fryer added that this interception was allowed where there was a direct bearing on the business.
However, enterprises could not readily monitor services such as an employee’s Gmail or Facebook profile.
He said cellphone communications were very strictly regulated and this privilege lay only within the ambit of the intelligence community.
According to Fryer, passive or off-air communication could be monitored using a special device that costs between R6 million and R8m, but private possession of this equipment was illegal.
The operator of such infrastructure would require certification but this documentation was typically issued to a government body or organisation.
“Only a handful of reputable companies around the world sell this technology. None of them are in South Africa,” he added.
The Sunday Times did not reveal its source when it reported over the weekend that Nxasana sent the SMS to Motshekga last Monday after a child had made derogatory comments about her in one of the FNB “You Can Help” videos.
The advertising campaign has aired on several platforms, including online and television, and featured several videos of children in school uniform reflecting on their hopes for South Africa.
Neither the Sunday Times nor the Press Ombudsman’s office have responded to questions.
Anton Harber, a journalism professor at Wits University, said: “On the face of it, publishing this SMS was an invasion of privacy, though there is a strong argument that public interest justified it. It would also be relevant how the newspaper got hold of the private communication and whether they did it improperly.”
Harber added it was likely that any possible breach of privacy “may have been initiated by one of those involved (in the SMS), even if unwittingly”.
He said the newspaper had “slipped up” by not indicating how it got the information.
“Even if they cannot name their source, they are ethically obliged to explain this and give whatever information they can,” he said.
Harber cautioned, however, that this incident cannot be used as a barometer for the quality of journalism in South Africa.
“One bad doctor does not condemn all of the country’s medicine,” he said. – Additional reporting by Sapa