Where has my personal data gone?

John McLoughlin
By John McLoughlin
Johannesburg, 27 Oct 2017

Another week, another data breach!

Earlier this year, a massive breach was reported due to a Web site flaw of one of SA's major movie houses, which saw the personal information of seven million users' data at risk.

Those implicated in SA's data leaks thought they had everything in place.

It sounds the same news as every week, except this time, South Africans noticed. This is possibly due to the fact that what was originally reported as the leaking of sensitive data on 30 million people was then discovered to be more than 60 million people, and was attributed to a company in the real estate industry.

The investigation is ongoing, but annoyed citizens are now asking how any company was permitted to hold this type of data. Information breached included names, addresses, ownership status, identity documents/numbers, e-mail addresses, income level and more.

This is the wake-up call those in the know have been preaching about for years.

In plain sight

While no one knows how many times this data has been copied or what nefarious intentions there are at this point, one thing is clear - South African business and ICT professionals need to be more responsible. As the confidential information of pretty much every living South African man, woman and child is floating about, has anyone ensured they do not have important information sitting in plain sight, waiting for the next major data discovery?

Business owners and ICT professionals need to ask themselves some questions. For example: the perimeter is secured, right? End-point machines are running protection tools, correct? Data is securely stored in the right places? Web site and data storage is secure - all of these boxes are ticked, right? Well, think again, maybe not!

When they are satisfied they have answered all of these questions, the final one they must pose to themselves is: what kind of visibility do I have of this data? Can I guarantee it is not visible to the outside world, and do I know who is using it? Can I see if someone is attempting to breach it?

I am confident those implicated in SA's data leaks thought they had everything in place. But businesses need to understand that being blissfully unaware does not absolve them from prosecution, fine and loss of reputation - the latter having the biggest long-term impact. As the investigation unfolds and the real story surfaces behind this latest breach, I believe examples may be set and possibly even jail time given to those responsible.

However, one must pose the question to business execs: do they really think they know where everything is? Or do they think everything is okay because it hasn't been made public yet? Business owners would need to be na"ive or irresponsible to pin the sustainability and success of their companies on vague answers to these issues.

Wake up

It is time for South African companies to unclip their blinkers and take the confidential information of customers, suppliers and staff and - above all - a generally unsuspecting South African public, seriously. This latest data breach has sparked panic and anger, and people are now coming to the conclusion that they cannot stand idly by and think everything is hunky dory.

It is interesting that when the news about this breach broke, it was originally attributed to a hack. But an investigation revealed hacking wasn't even required as the information was easily available on an open Web server. I am quite certain there are ticking time bomb servers loaded with a treasure trove of personal data all over this country, and also not appropriately protected, despite the Protection of Personal Information Act and other compliance directives.

I was dismayed at one report that alleged the official response from the owners of the company was they had no idea this data was resident on their servers. "I didn't know" is not a defence - they should know!

Companies must ensure they have methods in place to know what sensitive data they are holding, and as such, are responsible for securing. Basically, they should start by asking themselves what their answer will be when a journalist calls with questions on what data they hold and how it is protected - if they can't answer the questions, they are definitely liable, but also completely irresponsible. Threatening legal action or attempting a cover-up via responses like: "I need to seek legal counsel before I can respond" will simply add fuel to the flames of suspicion.

I am watching to see if the 'movie house' investigation will reveal how easily this sort of information can be sourced and for what reason anybody would need to know the ID numbers of the entire population.

A business should be aware of the following concerns: does it know where its staff and service providers are storing its sensitive information? What has been copied to the Web, a USB or sharing service? Who is accessing this data and for what reason? Are the company certain it knows?

Real visibility and ongoing monitoring to identify movements and any changes are critical to prevent, identify and remediate breaches. The alternative to ensuring visibility and monitoring is becoming the next headline in the national news for all the wrong reasons.

* John McLoughlin is MD of J2 Software.