Some Old Mutual correspondence lacks security
Old Mutual is applying password protection to all of its electronic contracts and customer statements, and aims to complete the process by August.
This after the investment, savings, insurance and banking group admitted not all of its correspondence with clients is currently password-protected, although it says "the bulk" is.
Old Mutual client Malefetsane Kotsi told the Sunday Times Power Report that he had received communiques from Old Mutual which were intended for two other customers. They contained confidential banking information - including ID number, address and bank account details - which were not password-protected.
"The confidentiality of our customers' information is something that Old Mutual takes very seriously and we regularly update our processes to secure the integrity and confidentiality of information in our possession," the company said in an e-mailed response to ITWeb.
"Many institutions, including financial institutions, still distribute documentation containing confidential information without any significant protection, such as password-protected documents, or specialised readers," says Jason Jordaan, principal forensic scientist at DFIRLabs.
"Unfortunately, if this information by accident ends up in the hands of the incorrect person, it would constitute a data breach as envisaged by the Protection of Personal Information Act (POPI), and the institutions concerned would have to account for that," he adds.
Old Mutual says one set of incorrect correspondence to Kotsi contained fund statements that were password-protected, but the other communique was not encrypted and contained confidential personal information of a customer who took out an Old Mutual savings plan.
"Once we were alerted, we immediately investigated and found Mr Kotsi and the other two Old Mutual customers all share the same first name and same e-mail domain. This similarity led to them mistakenly providing Mr Kotsi's address to us," explains Old Mutual.
It says it immediately contacted the other two customers to make them aware of the mistake and to obtain their correct details to update its records.
Jordaan says "at the very least" this information should all be password-protected, but in the case of more sensitive information, it should ideally be encrypted.
"I feel that in our modern interconnected world where money is nothing more than data, information security is the most important aspect. Poor information security leaves you vulnerable."
Jordaan says while the planned POPI Act makes it a requirement to safeguard information such as this, "there are currently no specific legal requirements saying how this should be done".
SA is still to announce a commencement date for POPI, more than two years after it was signed into law. The Act aims to promote transparency with regard to what information is collected and how it is to be processed. In terms of the Act, Parliament needs to appoint an information regulator to enforce the new legislation, something it is dragging its feet on.
"If all of POPI has been enacted, an incident like this could have been reported to the proposed information regulator, which could have had significant legal consequences in terms of that Act. Without the provisions of that Act being fully in place, affected clients could still take potential civil action against the institutions concerned," says Jordaan.
Dominic White, CTO at information security company SensePost, says legally, the South African Revenue Service requires VAT invoices are at least encrypted.
"Ideally, these companies should send the information via a secure channel, such as a smartphone app rather than via e-mail or post, as well as actually protecting the contents.
"Encryption can work, but only if the key (to decrypt the contents) and the content are separated and the key is strong. Often they aren't; for example, if the key is sent via e-mail with the content, or the key is weak (for example your ID number)," adds White.
Old Mutual says although it has checks in place to verify customer information, some responsibility still remains with consumers.
"Old Mutual also relies on customers to provide us with correct contact information so it remains in customers' best interests to play an active role in their relationships with service providers - like Old Mutual in this case."
This includes registering and updating personal information on the Old Mutual Web site.
"We greatly appreciate it when customers, like Mr Kotsi, provide feedback to us which helps us to take corrective action," the company adds.
Whether this incident will have any impact on customers' perception of how secure their confidential information is with Old Mutual remains to be seen, but White says in the end ? for most consumers ? it all comes down to cost.
"The real test is how much they're willing to pay. For example, if one investment bank charges 15% more than another, but claimed a much higher level of security, I'm not sure if customers would be as enamoured with the idea."