CAPE TOWN- Last week, web security expert Troy Hunt took to Twitter to reveal that he had discovered a large breach that may be of concern to his South African followers.
Titled "masterdeeds", the breach includes the ID numbers, names, gender, ethnicity, home ownership and address of millions of South Africans.
Discovered as part of a larger dump of other breaches, and traced back to a web server registered to a real estate company based in Pretoria, the data trove could affect more than 31-million individuals (including millions of children and teenagers).
While the database file indicates the breach may have occurred as recently as March 2017, it contains information going back as far as the 1990s.
The personal details contained in the database represent a massive security threat to ordinary South Africans.
Just think about how many services use things like ID numbers and home addresses as part of their security protocols?
In the hands of criminals, the data obtained in the breach could be used to gain access to even more data, which could result in the exposure of high-risk information such as bank accounts.
It could also be used to commit e-commerce fraud, draining credit cards and causing chaos among consumers and companies alike.
The situation is clearly very serious, and only exacerbated by the fact that a surprisingly high percentage of South African companies even in financial services.
They either do not have a document password on confidential information they send out via email, or the password is something that is found in breached or publicly available data, such as an ID number.
All eyes will now turn to the new Information Regulator as it deals with its first major public breach since appointment.
Industry watchers will be especially keen to see whether the source of the breached data is sanctioned. And whether the culprit will follow the correct breach notification and management procedures as required by the Protection of Information Act.
In the meantime, what do South African companies need to be aware of? And how can a business ensure the data and documentation stored in internal systems are protected?
Establishing trust
An important first step for any company is to realise that a breach of this magnitude doesn’t just impact people’s trust in the organisation directly affected.
It also means they’re less likely to trust any other players holding similar information.
It’s therefore imperative that you give your customers reason to trust in your security processes. Pivotal on that front is to communicate with them in a way that is open and easy to understand.
Tell them exactly what you’re doing to ensure that any information they have with you is kept safe and what actions you’re undertaking to ensure the data you have doesn’t fall prey to a similar breach.
You can also empower customers by directing them to https://haveibeenpwned.com, an online tool that provides a free check of whether an email address or username has been compromised in a data breach.
Walking the talk
It is, of course, vital that you be able to back up this intent with action. What actions should you be taking when it comes to securing client data and documents in your systems?
While a detailed answer would require far more column-inches than we have here, there are a few simple pointers worth exploring:
Don’t do it yourself:
chances are you’ve grown your business by being good at what you do. Unless you also happen to be a security expert, you’re probably best leaving your document security in the hands of someone who is expert at it.
Choose carefully:
That said, you should always do your homework before choosing a document security provider.
Find a provider with a strong track record and who understands your business needs. This partner should also be fully aware of, and compliant with, the current legal and regulatory environment.
Be proactive:
A good document security company will be proactive when it comes to informing you about the latest threats, how they impact you, and what it’s doing to address them.
That said, if you have any concerns, you should absolutely be proactive in approaching your provider with them. If they’re worth their salt, they’ll respond quickly and knowledgeable
It doesn’t stop with you: Companies should also work with their document security providers to identify any other high-risk partners and vendors they might deal with. If they don’t already include them, contracts with these providers should be reviewed to include data protection protocols.
A partnership of protection
The documentation you keep in your system should be treated as precious. There’s a reason cyber-criminals are so keen to get hold of the confidential content.
It’s therefore obviously worth investing in keeping these documents as secure as possible.
Greg Gatherer's is executive head of Striata Document Solutions.