A slew of recent high-profile data breaches has cast light onto the Protection of Personal Information (PoPI) Act, which comes into effect at the end of this year. We take a look at some of these breaches and how to protect personal information.
British Airways (BA) and Liberty have been among the high-profile companies to have experienced significant criminal data breaches in the current year, while Absa recently blundered when it released the names of credit defaulters as part of its submission to the Bellville Magistrates Court.
In all three cases, personal information of these companies’ clients found its way into the public domain.
The case of BA was arguably the most severe. Between August 21 and September 5, the personal and financial details of some 380 000 customers making or changing bookings on the BA website and app were compromised.
The personal information compromised included customers’ full names, billing addresses, email addresses and payment-card information including the card number, expiry date and CVV number. All the information the hackers would need to conduct fraudulent transactions…
In the case of Liberty, hackers gained access to its e-mail server and stole “unstructured data”, consisting mainly of e-mails and attachments that were said to include thousands of Liberty investors’ financial details. Approximately 40 tb of data was stolen.
The Absa blunder involved a list of credit defaulters, which included the names and addresses of 13 people not related to the matter. These names had not been censored for publication by Absa’s attorneys, Norton-Lambrianos.
How did the companies respond?
On September 7, BA issued a communique to its customers providing them with further information about the breach. In it the company advised: “British Airways has taken steps to prevent any further data theft. The website is working normally, and we are working with the authorities to investigate how this theft occurred.
“We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment-card details. We’ll also offer credit-rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”
Liberty’s group executive of group distribution and bancassurance, Johan Minnie, made a statement in July, a week after this company’s data breach.
“We have still found no cases in which any of our customers have been impacted financially. We want to clarify that your policies and investments are secure.
“We are deeply distressed by the data breach that has taken place at Liberty. Please allow me to offer our sincere apologies for the anxiety that this may have caused. We can assure you that we have regained full control of our IT infrastructure and we have deployed additional security measures. The vulnerabilities have been addressed and we are working tirelessly to make sure this doesn’t happen again.
“We have brought in an expert cyber-security team who are working around the clock to manage the breach and assist the authorities with this investigation.”
Not much information is available on the Absa issue. SheqAfrica.com reports that Absa CEO, Maria Ramos, was been asked to respond to the allegations but, as of September 11, had not responded.
“She was also asked to issue a formal apology and do a formal investigation on how this breach of personal information, which people trust will be secure with the banks, was allowed. In terms of Absa’s standard terms of agreement, a debtor only consents to the information being made available to registered credit bureaus,” SheqAfrica.com states.
What did they suggest?
Clients of BA, Liberty and Absa would have long been aware of the compromise to their personal information. Both BA and Liberty issued guidelines to their clients following their respective incidents.
BA stated: “We recommend that you contact your bank or credit-card provider immediately and follow their advice.
“We take the protection of your personal information very seriously and would encourage you to review the advice below:
• British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an e-mail or call, claiming to be from us, requesting this information, please report it to us straight away.
• Review your credit-card or bank-account statements as soon as you can to check for unauthorised transactions or payments. If you suspect fraud, contact your bank immediately.
• Do not respond to, or follow any web links from untrusted sources.”
Similarly, Liberty’s Minnie stated: “If you’ve enabled online servicing, please do log onto the system to view your policy values and confirm this for your own peace of mind.
“We would like to inform you of the following to help you be vigilant in the protection of your data:
• Liberty will not send you an e-mail or link for you to change any of your passwords.
• It is always good practice to ensure you select strong passwords and change them on a regular basis.
• We also recommend that you monitor suspicious phishing e-mails and delete them from your e-mail box immediately.
How can you protect your information?
The PoPI act was created to ensure that individuals and juristic persons know exactly what is being done with their personal information. In cases such as these, it is the responsibility of the targeted companies to ensure adequate protection of their client’s information, while the clients, too, need to consent to how their personal information may be used.
Look out for a full, in-depth feature on the PoPI act in a forthcoming edition of SHEQ MANAGEMENT.
Although there is little individuals can do to protect personal information from being stolen by hackers, it can be protected from being “phished”. While spam, or phishing, e-mails are nothing new, many people continue to fall for increasingly well-disguised e-mails.
Following these steps can help to avoid falling prey to scams:
• Do not click on any links or attachments in suspicious e-mails.
• Do not respond to spam or phishing e-mails.
• Do not pay ransomware or extortionists.
• Update passwords regularly.
• Do not re-use passwords.
• Enable two-factor authentication for all online accounts that support it.