Durban - Cybersecurity experts and banks have asked citizens to prepare for the worst following the theft of personal information in the country’s largest ever data breach.
Some 24 million people’s information and that of about 800 000 businesses were acquired by a fraudster who allegedly impersonated a “legitimate” client and fraudulently requested the data from multinational consumer credit reporting company Experian. At risk are those who hold bank and credit accounts.
Experian is the world’s biggest credit data firm that collects and aggregates information on over a billion people globally. The information is used to generate credit reports and scores based on borrowing and payment habits, which are used by banks, car dealers and retailers.
Ferdie Pieterse, Experian Africa’s chief executive, has since apologised for the breach and said their first priority was to help and support the country’s consumers and businesses. The fraudster was identified and the Experian team successfully impounded the individual’s hardware and the misappropriated data was secured and deleted.
Pieterse confirmed that no consumer credit or consumer financial information was obtained.
Director of the Centre for Cyber Security, Basie von Solms, from the University of Johannesburg, said every citizen should act as though they were one of the 24 million affected people. “Most didn’t know their personal information was stored with Experian. Everyone must be cautious and not trust anyone.
"If you receive any unsolicited calls or emails, it is best to not divulge information and cease communication. Call your bank or the company directly to verify if they contacted you and why,” he said.
Von Solms said criminals targeted the weakest link, which was the human element. “If a system cannot be hacked, they turn to social engineering, and that’s what happened here.
"They posed as a client, but the company should have utilised thorough verification procedures before handing over the information. Clients, consumers, employees or call centre operators are soft targets compared to hacking sophisticated technology,” he said.
Von Solms added it was naive to believe the breach was fully contained. “The hardware might be taken and the perpetrator identified, but who is to say that copies were not made and are currently sitting in cyberspace waiting to be used?”
Derrick Chikanga, an IT services analyst at Africa Analysis, said the breach was significant as it related to 75% of the approximately 32 million banking adults in the country.
“As such, most customers are at risk of phishing and impersonation. Cyberattacks are becoming increasingly sophisticated and most unsuspecting customers might fall victim to impersonation attacks after such data compromises,” Chikanga said.
Chikanga added that from the perspective of banks and other financial institutions, more was needed to ensure robust systems were put in place to counter the growing threat of cyberattacks.
The breach was reported to authorities, and local banks were working with Experian, the SA Banking Risk Centre (Sabric) and the Banking Association of SA to identify which customers were exposed and to protect their personal information.
Sabric chief executive, Nischal Mewalall, said: “The compromise of personal information can create opportunities for criminals to impersonate you, but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details.”
Manie van Schalkwyk, Southern Africa Fraud Prevention Service (SAFPS) chief executive, urged citizens to consider personal identity information in the same way as cash.
“Keep it safe and secure at all times, because once it is compromised it can be used by anybody, often to impersonate you. Bank customers and other consumers must follow sound identity management practices to mitigate the risk of impersonation and fraudulent applications,” he said.
Van Schalkwyk suggested if people suspected their identity was compromised, they should immediately apply for free Protective Registration listing with SAFPS. “The service alerts SAFPS members, which included banks and credit providers, that your identity was compromised and additional care needs to be taken to confirm they are transacting with the legitimate identity holder.”
“Fortunately as banks have migrated to digital forms of banking the level of security and authentication has been increased. The introduction of one-time passwords (OTPs), for example, means that it is much harder for fraudulent transactions to be made,” Mthombeni said.
Absa, African Bank, FNB, Investec, Nedbank and Standard Bank all sent out alerts to their customers to take various security measures such as routinely changing passwords, never sharing them, to remain vigilant and to report any suspicious activity.
However, Accenture, an international company that provides consulting on technology, business and marketing, released a report in May that revealed South Africa had the third most cybercrime victims globally, amounting to R2.2billion a year in losses. The report said the country experienced a cross-industry spike in cyber attacks last year.
“South African organisations are perceived as potentially having lower defensive barriers than more developed economies. They may also think they face a lower chance of incurring consequences for malicious activity.”
The report outlined that making use of security and threat intelligence, protecting against internal threats and people-based attacks, focusing on compliance and applying best practices could minimise cybercrimes.
On July 1 the National Council of Provinces passed the Cybercrimes Bill, which now awaits President Cyril Ramaphosa’s approval, which focuses on criminalising the theft and interference of data. - Additional reporting Sandile Mchunu