The hacking of Experian is one of the largest data breaches to have hit South Africa. (Igor Golovniov/SOPA Images/Getty Images)
Whenever you hand over your private information to an institution, it’s an act of trust.
You are trusting that the information will be used for its intended purposes and that reasonable measures have been taken to protect your privacy.
But cybersecurity criminals are always on the lookout to cash in on holes in network systems.
On August 19, the South African Banking Risk Centre announced that there had been a significant data breach at the South African wing of the multinational credit bureau, Experian, resulting in the exposure of the personal information of 24-million South Africans and 793 749 businesses.
Craig Rosewarne, the managing director at the cybersecurity company Wolfpack Information Risk, said some institutions have a public domain such as a website where people can check if they were vulnerable. There was no such system in place at Experian.
But, said Rosewarne, you could use other sites such as haveibeenpwnd.com to check whether your privacy has been compromised. It’s a simple matter of going to the site and using your email address.
Experian said their investigation shows that no consumer credit or financial information was revealed. But, said Manie van Schalkwyk, the chief executive of Southern African Fraud Prevention Services, because hackers have some of the data, they can use it to pose as an institution such as a bank to get further information.
He advises people to visit a credit bureau and get their credit report, which will show if there were any devious activities.
He said hacking happens because criminals use your personal information to impersonate you or to open other accounts.
“[They] steal our data to steal your money,” said Van Schalkwyk.
Lukas van der Merwe, a specialist sales executive for security at T-Systems South Africa, said the accelerated move to cloud systems makes data breaches an inevitability.
“This comes at a time when having preventative measures in place is not enough and hasn’t been enough for some years,” he said.
Preventative measures should be supplemented by systems that can identify when malicious activity in networks is taking place so that they are stopped while it is happening, he added.
Rosewarne said that people should avoid using the same password for multiple sites, because if one site is compromised, criminals can try using the same credentials on other sites.
He added that sometimes, instead of creating new login details, some websites allow users to use their Google logins. This will also make it easier for hackers to use your information at other sites.
Rosewarne suggests that you use dual-factor authentication to lessen the chance of getting hacked. When it comes to passwords, he said they should be at least 12 characters long and people should avoid using dictionary words.
He said that companies sometimes have breaches and hope this will not become public knowledge.
Rosewarne said that from a government point of view nothing can be done — unless an individual or group sues the company where the information was hacked.
But the Protection of Personal Information Act will be fully enacted in July next year, which means businesses will have to disclose breaches.
Until then, Kendall Keanly, the director of corporate and commercial practice at law firm Cliffe Dekker Hofmeyr, says companies should train their employees to be able to identify possible instances of hacking to adequately protect themselves and their clients.
Thando Maeko and Tshegofatso Mathe are Adamela Trust business reporters at the Mail & Guardian