From conmen sending you fake emails about winning a lottery to state-sponsored hacks into an enemy country’s digital infrastructure, cybercrime has become a huge risk worldwide, and sooner or later, it will affect you directly, if it hasn’t already.
This has been recently highlighted here in South Africa by the massive breach of consumer data held by credit bureau TransUnion and outrageous extortion demands by the hackers.
In an update recently on its website, TransUnion answered some commonly-asked questions about the breach, which happened in March. It says: “We are aware that a criminal third party has aggregated and is releasing data, allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
“With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it. The criminal third party obtained access to the TransUnion South Africa server through misuse of an authorised client’s credentials. Immediately upon discovery of the incident, TransUnion suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation.”
The hackers have demanded a ransom of $15 million (R223 million) for the information not to be distributed, which TransUnion says it will not pay. “TransUnion believes that acceding to the criminal third party’s extortion demand would only provide them and other bad actors with an incentive to continue attacking consumers and extorting businesses. (Our) approach is aligned with best-practice advice from government and third-party cybersecurity experts, who recommend not paying, particularly given the risk criminals may leak data anyway.”
TransUnion says it can confirm that at least three million consumers and 600 000 businesses have been affected. “Fields of information that may be affected for consumers include name, ID number, date of birth, gender, telephone number, email address, address, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and vehicle identification numbers.
In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each consumer may have a combination of different fields impacted, depending on what data was available.”
The regulators are investigating the breach, and TransUnion says it is cooperating fully with the South African authorities as well as working closely with law enforcement agencies in the United States.
The company is in the process of informing customers and providing help where necessary. “Where contact information is available, TransUnion is directly contacting by email or text the individuals and businesses we know to be impacted. (We are) also providing information on how affected individuals and businesses can protect themselves, including free subscriptions to TransUnion’s tools to detect identity-related and business-related threats. For consumers, this includes free access to their personal credit reports and alerts up to 31 December 2023, and for businesses, this includes free access to their business credit reports up to 31 December 2023.”
VULNERABLE CONSUMERS
The incident underlines how important it is for businesses such as TransUnion, which hold massive amounts of consumer data, to have strong cybersecurity measures in place to protect that data. But it also underlines how vulnerable we are as consumers to widespread distribution of our personal information, despite all the measures being put in place to protect it.
“This alarming news is further indication that every company that holds personal information is a potential target. The consumer desperately needs an extra layer of protection on their identity against criminals who will turn their lives upside down without a second thought,” says Manie van Schalkwyk, chief executive of the Southern African Fraud Prevention Service (SAFPS).
“How significant is the risk? It is estimated that there are 17 billion cyber attacks that take place around the world every day, not all being successful.”
“Data breaches have been on the rise globally, and South Africa has seen unprecedented increases in the number of cyber victims,” says Dalene Deale, executive head of Secure Citizen.
Secure Citizen was created through a collaboration with SAFPS and OneVault, a company offering biometric authentication solutions, in response to the rapid growth in identity theft following online fraud.
“Fraudsters do not discriminate. Fraud is a fraudster’s business, and they often use the same business tactics we use in legitimate business, the difference being that they don’t have customers. They have victims. Thanks to an increase in data breaches, fraudsters are motivated and armed with the correct information, meaning they are very capable of impersonating an individual. The impacts of this can be catastrophic,” says Deale.
PROTECT YOURSELF
We need to be proactive and protect ourselves, and one way to do that is through SAFPS’s Protective Registration, powered by Secure Citizen. Protective Registration is a free service protecting you against identity theft. Once registered, the SAFPS alerts its members to take additional care when dealing with your details.
“If a member of the public wants to become proactive in the fight against fraud, the SAFPS is there to serve them. Visit our website on www.safps.org.za. Click on the fraud prevention tab and protect yourself against identity theft with Protective Registration. For best results, use your smartphone to go to our website. Once you have uploaded key pieces of information, you will add another layer of protection against potential ID fraud,” says Van Schalkwyk.
“As a society, it is important that we move towards creating a world where the fight against fraud becomes protective and proactive. We cannot always be reactive when it comes to fraud,” he says.
PERSONAL FINANCE