Last month saw one of the largest data breaches in South African history. Experian, a credit reporting company, stated that some of the personal information of around 24 million South Africans – and over 800 000 businesses – was stolen by a fraudster.
The fraudster posed as a representative of a legitimate Experian client who placed a large, yet plausible, credit information request on behalf of that client. The information obtained from Experian’s digital tracking software was intended to create marketing leads for insurance and other credit-related scams.
Experian worked closely with the South African Banking Risk Centre (SABRIC) whose CEO, Nischal Mewalall, stated at the time, “the compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details.”
After some investigation, it was deemed that no consumer financial information or accounts were put at risk. However, other online information like passwords, purchase histories and internet traffic can become a very nasty security concern when handled poorly, especially in the kinds of numbers we saw a few weeks ago.
Once the investigation had identified the suspect, and located their base of operations, Experian followed up with a confirmation that the hardware containing the breached data were secured and the suspect apprehended:
“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
The risks associated with the digitising of our personal information and sharing of our day-to-day lives are only getting greater and these types of data breaches will only become more common. Although, when considering advances in digital security services and financial protections, they will probably become less successful over time.
SABRIC and the South African Fraud Prevention Service (SAFPS) urged all banking customers to practise sound identity and financial information management and mitigate the risks of impersonation, fraud and theft using your name or account information by using deliberate tactics and services.
Should you suspect any foul play or that your identity and information have been compromised, the SAFPS provides a free “protective registration” listing within their online security system. This service sends out alerts and notifications to those registered for it – which includes banks and other business – that a breach may have occurred or your identity has been compromised.
Individual statements and best practices were released by each of the major banks: Standard Bank, Absa, Capitec, First National Bank and Nedbank advised their customers on what to do in the event of an information breach.
The advice is much of the same from each bank – change your passwords, protect your card details, never share OTPs or CVVs and always confirm correspondence from your banks before divulging any information at all.
In situations like the data breach that occurred with Experian in August, it is imperative that individuals continue to re-secure their online information. Changing usernames and passwords; checking account details; verifying online personal information; confirming financial transactions and registering with a public – or private – security service that notifies you when you are at risk should be commonplace after such a potentially devastating incident.
“We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities,” Experian said in a recent statement as tensions around the credit bureau’s data disaster.
Experian South Africa has been working with the National Credit Regulator and the Information Regulator while confronting the security risk and has ensured all of their clients that their digital infrastructure, systems and database were not compromised this time.
However, they are aware of the need to prevent similar events from occurring and will be improving their protocols in the near future. They stated that “as a precaution, we advise anyone who may have concerns to regularly check their credit report.”
There was some debate in the 19th and 20th Centuries about the effectiveness of keeping money in the bank versus a personal safe or ‘under the mattress’. Personal information is similar to cash in that it is incredibly valuable, needs to be secure and can put that individual in tremendous danger if they spend it recklessly.
This may seem like an asinine debate to modern populations, but it was taken very seriously by generations past. As we continue to transition our personal, professional and financial lives onto the many digital platforms that are making much of our lives easier, we need to remember that these come with more exposure and much greater risk.