Subscribe

Data breaches expected to worsen

Masibulele Lunika
By Masibulele Lunika
Johannesburg, 30 Mar 2017
The Gemalto breach level index shows an increase in data breaches.
The Gemalto breach level index shows an increase in data breaches.

Data breaches are expected to worsen in the future in the wake of new technology advancements and the Internet of things (IOT), and SA is no exception.

So said Joe Pindar, director of product strategy and CTO at Gemalto, who presented the findings of the company's Breach Level Index in Johannesburg this week. To create the Index, Gemalto gathered extensive information about data breaches worldwide, using sources such as Internet searches, news articles and analyses.

According to the report, globally there were over 1 792 data breaches in 2016 and almost 1.4 billion data records that were compromised, increasing by 86% from 2015. Pindar added that this figure translates to about 3.7 million breaches in a day.

He noted that SA has not been left unscathed as the number of breaches continues to rise. As recent examples, he pointed to the recent hacking of local movie theatre chain Ster-Kinekor, which exposed personal details of close to seven million South Africans.

IT equipment containing critical and confidential information was also recently stolen from the office of chief justice Mogoeng Mogoeng, Pindar added.

However, he pointed out that this is only a small figure as the majority of companies do not reveal they have been breached. Nonetheless, this will change as the Protection of Personal Information Act comes into play.

According to Pindar, the biggest data breach incidents originated from external threats using the data to commit fraud or to seek ransom. "A number of companies, including healthcare providers, utilities and others were willing to pay ransoms to avoid losing data or having systems shut down."

The report states that something as small as a cellphone number can be used to commit extensive amounts of fraud. Last year, Forbes reported a case where millions of dollars in bitcoin was stolen by hackers only using someone's phone number.

According to the report, malicious outsiders such as hackers and cyber criminals were by far the leading source of data breaches in 2016.

Identity theft was the most common type of attack, used in 1 050 data breaches, 58.6% of the overall. Financial access followed with 330 breaches which accounted for 18.4% of the total. Among them was also account access (190 breaches, 10.6%), nuisance (143 breaches, 8%) and existential data (79 breaches, 4.4%, down 56.6% from 182 in 2015).

The healthcare industry data was breached the most with 493 breaches, 27.5% up 10.8% from 2015. Government entities had 269 breaches, 15%. Retail sector breaches went down 10% with 215 breaches, from 239 in 2015. Financial services breaches dropped by 22.5% to 214, accounting for 11.9% of the total. Technology company breaches, mostly offering technology services, rose sharply by 54.9% to 189 breaches, accounting for 10.5% of the total. "The number of records stolen from these companies soared 277.5% to 391.6 million, from 103.7 million in 2015. The technology sector accounted for more than one-quarter of all the 10 records stolen in 2016, 28.4%." The education sector had 157, accounting for 8.8% while the hospitality industry had the least hits with 26 data breaches, 1.5% of the total.

"What we see here is only the tip of the iceberg, the reason is that we all take our online identities almost completely for granted," said Arthur Goldstuck, MD of World Wide Worx, who chaired a panel discussion at the event.

Goldstuck mentioned some concerns he has personally found in points of entry into certain buildings or office parks when "for security reasons", personal data like IDs, vehicle registrations, and cellphone numbers are collected.

"With the kind of information collected, someone can 'steal' my whole life by getting access to my cellphone number and having my driver's licence scanned. We are so vulnerable and yet we are not aware. Even the organisations that are supposed to be protecting us, from Microsoft to Google are not doing that," he says.

"These days, the number of threats is not only increasing, but going through the roof. There are going to be more incidents that will be even more catastrophic," says Stephen Berjak, former principal architect at South African Revenue Service, and now with ?Oversight Solutions.

According to Pindar, there have been many cases where biometrics have been hacked, they are a way of circumventing by making the process more complicated, but more importantly to make the experience better. "Have your two-factor authentication whether it's biometrics or a one-time pin as a second factor, but you also need to keep your backend authentication systems secure, because if they get compromised, then your authentication is defeated to start with."

Berjak says it is common for fintech start-ups with a big user base to take security for granted, "You have to be careful when you have a large user base that the way you address what is technological advancement doesn't link to business disablement."

"A lack of regulation in Africa is very prevalent," says Justin Williams, executive: group information security at MTN. "In Nigeria, there's regulation that ensures all banks have a two-factor authentication for login, in most of Africa that doesn't exist."

Share