JOHANNESBURG - On 7 September, news broke that Equifax, a giant in the global credit check space, had suffered a massive online security breach.
The event saw hackers lay their hands on the personal information of hundreds of millions of people. All told, the event could potentially impact 145.5-million US citizens, as well as thousands of UK nationals and Canadians.
Much of the information stolen in the breach -- including social security numbers, driver’s license numbers, birth dates, employment histories, credit cards and other sensitive details -- was gathered without people’s explicit permission. A hack this big begs the question: could something similar happen in South Africa? If so, what lessons could we learn from Equifax?
Code, credit checks, and crooks
In order to understand whether an Equifax-style breach could happen in South Africa, it’s important to understand how Equifax makes its money.
Essentially, the company makes much of its US$3 billion or so in annual revenue by selling personal information to financial institutions that use it to determine people’s creditworthiness. In South Africa, several similar companies are in operation, the largest being TransUnion.
Like Equifax, they get their information from credit card companies, banks, credit unions, retailers, car sellers and home loan providers. These companies also receive information from debt collectors, and they purchase public records, such as bankruptcies, tax liens, and judgements, from public record providers.
If nothing else, that means similar opportunities exist for identity theft in South Africa. Factor in the country’s already high levels of cybercrime and it’s easy to see that the risk level isn’t insignificant.
Cleaning up
To date, no other credit reporting agencies have reported falling victim to the kind of breach Equifax did, but it’s worth noting that it took the American company weeks to even figure out that it had fallen victim to hackers. While these companies are undoubtedly beefing up their security in the wake of the Equifax incident, the truth is they’re in a constant arms race with the people out to get the data.
If they’re efficient and monitor activity on their networks properly, they can fight off attacks as they happen and minimise any damage they cause.
That’s the best-case scenario. But what if the worst were to happen? What if a South African company experienced an Equifax-style attack? What could you do?
Taking action
First off, you need to think long-term. The hackers responsible for the Equifax hack certainly are. In the immediate aftermath of the breach, there was no spike in identity sales on the dark web.
That means you need to exercise constant vigilance around your financial accounts, pay careful attention to any emails or calls you receive, and regularly check your credit reports.
If you’re a business owner, it’s imperative that you don’t just pay attention to your personal accounts. Businesses also regularly fall victim to identity theft and could well be impacted by an Equifax-style hack.
In fact, small businesses in the States are already joining a lawsuit against the credit reporting agency. They’re concerned that information exposed in the hack could be used to open fraudulent accounts, damaging their credit scores.
For small businesses which already struggle to get loans from banks, this could prove disastrous. Equally disastrous is the kind of information cyber-criminals can get their hands on once they’ve got access to the kind of personal data stored by credit ratings agencies. These can include sensitive documents and correspondence.
On this front, at least, businesses have some options. They can, for instance, ensure that they use a customer communication solution/solution provider that uses sophisticated, multi-factor authentication to protect the customer data in, for example, invoices and statements that you routinely send out, and that this data is secured whether it is stored on your infrastructure, in transit online or on a customer’s device.
These kinds of technologies are rapidly evolving and are very exciting. Ultimately though, the best thing a business can do is ensure that its people -- especially those tasked with overseeing the company finances -- know what to look out for. Establish a culture of staying up to date with latest security news and running regular checks on things like credit scores. If you have the luxury of a security team, make sure they’re talking to other parts of the business about the kinds of things they’ve seen and how a few simple practises can make everyone exponentially safer.
Security breaches as large as the one experienced by Equifax can seem incredibly scary, but with just a little know-how, their impact can be contained.
Greg Gatherer is the executive head of Striata Document Solutions