Insurer Lombard Insurance is working with the Information Regulator and South African authorities after suffering a data breach.
The company first disclosed the incident last month, saying: “Lombard Insurance Company Limited regrets to confirm that it has been the victim of a cyber attack on some of its systems by criminals targeting its data.
“We take this extremely seriously, and we are taking all relevant precautions to limit the impact of the attack.”
The company says independent ICT and forensic experts are working with the insurer’s internal team to analyse the breach and systematically restore the integrity of its systems.
The authorities have been alerted and investigations are under way, it says.
However, the company did not disclose which information was accessed by the hackers or the number of people affected.
In an e-mail to ITWeb this morning, a company spokesperson says “more clarity will be communicated when the information is available to our customers”.
In an earlier statement, James Orford, managing director of Lombard, comments: “We have continued to restore and secure the integrity of our systems and data.
“Our internal team, in conjunction with independent ICT and forensic experts, are working to determine and verify how and which systems and data has been accessed by cyber criminals, and if any data has been copied and pulled off our systems. The relevant authorities have been made aware of and are investigating this incident.
“We’d like to remind you to remain vigilant of any e-mails, telephone calls, WhatsApps or SMSes asking you for more information to help you deal with any data security incidents. Fraudsters often pose as officials from trusted authorities like the police or banks.”
The Lombard incident comes as several South African organisations are being targeted by cyber criminals.
Only last week, credit bureau Experian made the headlines after it experienced a data breach which exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
The credit bureau discovered that its IT systems had been targeted in July, the same month Lombard was also hit.
Amid the spike in data breaches, the Information Regulator last week told ITWeb that in the last four months, the regulator has recorded 25 data breaches, 19 of which were self-reported.
Yesterday, Experian and the Information Regulator issued a joint statement saying an individual purporting to represent a legitimate client of Experian South Africa fraudulently requested services from Experian.
They note the services involved the release of consumer information which included telephone numbers and in some instances an address and employment details of individuals.
No consumer credit or financial information was obtained by the fraudster in this incident, they say, adding the fraudster also obtained bank account numbers on some business entities.
Advocate Pansy Tlakula, chairperson of the Information Regulator, says: “We have engaged with Experian South Africa to analyse the details in relation to Experian South Africa’s fraudulent incident and to ensure Experian is taking all necessary steps to protect South Africans.
“While this is a regrettable incident, we note that Experian South Africa has responded promptly to all our requests and has taken measures to protect the data of South Africans by engaging with multiple stakeholders, instituted actions to inform affected data subjects and other affected stakeholders, and put in place additional organisational measures to prevent unauthorised access from happening again. Experian South Africa has also informed us that having identified the suspect, they are working with the authorities to bring the perpetrator to justice.
“We will continuously work with Experian to monitor compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and to ensure the data of South Africans is appropriately processed, secured and protected.”
According to Tlakula, the recent spike in data exposure incidents in South Africa reinforces the importance of understanding not only cyber criminal activity but also sophisticated fraud impersonation techniques and how they relate to the protection of personal information.
“We encourage all companies to be vigilant of advanced social engineering and fraudulent impersonation and to put in place adequate and appropriate measures.”
Experian Africa CEO Ferdie Pieterse says: “I sincerely apologise to anyone that has been affected by this incident, and advise any individual who has concerns about their data to check their credit report by visiting www.mycreditcheck.co.za, which they can do for free, for life. They will also receive free SMS alerts when a credit enquiry is made on their credit report from now until 1 March 2021.
“I am sorry that this incident has occurred and confirm that we took immediate action to introduce additional controls to prevent this type of incident from occurring again. We are working closely with all relevant authorities, including the Information Regulator, to help ensure data protection for all South Africans.”
Due to the fact that POPIA gives public and private bodies a grace period of one year up to 1 July 2021 to comply with its provisions, the regulator cannot exercise its enforcement powers as yet.