Information watchdog sees data breach notifications double
The office of South Africa’s Information Regulator (IR) says it has received 1 021 data breach notifications, to date.
The Information Regulator revealed this number when responding to ITWeb’s questions about the Western Cape Provincial Parliament’s (WCPP’s) recent security compromise.
The new figure is nearly double the 564 data breaches or security compromise notifications that advocate Pansy Tlakula, chairperson of the Information Regulator, indicated in February.
At the time, Tlakula said the over-processing of data subjects’ personal information is squarely to blame for the heightened data compromises.
The Information Regulator, which is headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans under the Protection of Personal Information Act (POPIA).
Under POPIA, organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third-parties without their approval.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
However, none of the organisations that have been fingered in data breaches have been brought to book since POPIA came into force on 1 July 2021, with Tlakula previously noting the complexities of this exercise.
Data leak momentum
The CSIR estimates the impact of cyber crime on the South African economy to be at R2.2 billion per annum, amid the country’s worsening data security and privacy environment.
Since Tlakula’s February pronouncement, a number of organisations have confirmed suffering data breaches and leaks.
After a cyber attack on its ICT systems, the WCPP warned last week that it suffered a data leak, compromising some or all of its data.The provincial legislature advised its stakeholders − including participants in WCPP events, media representatives, members of the Cape Town consular corps, job applicants and service providers − to exercise vigilance in respect of their personal information.
Systems integrator Dimension Data and its subsidiary Merchants in March acknowledged a “limited” breach experienced on their call management system platform that exposed client data.
Additionally, a glitch in big-four bank FNB’s mobile app exposed personal information of customers applying for home loans using the digital platform.The exposed data included personal identifiable information, such as names, identity numbers and contact details.
Subsea cable operator Seacom last month also confirmed a cyber attack, saying the incident impacted a small number of its customers.
In September 2021, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.
Meanwhile, in August 2020, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
Jason Jordaan, principal forensic analyst at DFIR Labs, believes the reason SA is seeing more data breach notifications to the Information Regulator is that more organisations are aware of the legal responsibility to report data breaches.
Jordaan believes the number of breaches reported to the info watchdog does not represent the actual number of breaches that have occurred, saying there are several reasons for this.
“Victims may not be aware of the fact that they have actually suffered a data breach, and if they are aware, they may not know they have an obligation to report.
“A classic example of this is a business e-mail compromise case. In the majority of these cases, before the fraud even occurs, the attackers have compromised the e-mail service of the victim, gaining access to every single e-mail in their mailbox. This exposes all this personal information to the attackers.”
On the issue of SA being behind the curve when it comes to enforcement in regards to security compromises, Jordaan points out there are two aspects when it comes to enforcement.
“The first is the criminal justice aspect, which requires investigation to attempt to identify the perpetrators. The simple reality is that currently our law enforcement authorities are not well-equipped to do this.
“The second is the investigation by the Information Regulator, which needs to determine if there was any non-compliance with the requirements of Section 19 of POPIA. I don’t feel the regulator is fully capacitated in this regard. They will require significant assistance in this.”