What happened?
South Africa’s largest data breach has now been contained, according to the Experian credit bureau. During 24 to 27 May this year, it had released the personal details – including identity numbers, telephone numbers, physical and e-mail addresses of more than 23 million individuals and nearly 800 000 businesses – to an individual, now the ‘fraudster’, who presented himself as authorised to have that information.
Experion now knows how smart many cyber criminals often are. It explained in Business Insider yesterday that the fraudster used sophisticated techniques to fraudulently misrepresent himself as the director of a legitimate local financial services company. He had the identity number of the director of the company and all the company information. He had created a fake website for the company, complete with e-mail addresses for clerical and administrative staff. Due to the lockdown, Experian did not go and visit him at his place of business.
For all of June, July, and the first two weeks of August, data subjects were not aware of this issue as Experian first sought to plug the leak. They brought an Anton Piller application, which requires and allows for the element of surprise and secrecy. (An Anton Piller order is brought about in secret. This means that it is brought without notifying the party who will be affected thereby, nor of the order which might be made as a result of the application. Even the hearing of this application in court is done without the knowledge of the other party.) Experian acknowledged that it had detected the breach on 22 July, that is 57 days after handing over the data. The Anton Piller order was fully executed by 18 August – 84 days after the breach.
South Africa’s large banks are warning affected and potentially affected customers to exercise heightened vigilance, because that information could be used in identify theft attempts, or to convince people to hand over more information.
Business and The Protection of Personal Information Act (POPIA)
Most businesses are aware that POPIA became operational some two months ago and that a window period of 12 months is in place affording businesses an opportunity to evaluate their systems and ensure that personal information they have is protected, as required in terms of POPIA, to the best of their ability by 1 July 2021.
But what if businesses simply decide not to bother? What’s the worst that can happen?
Firstly, the true damage caused by data breaches is not the cost of litigation or the substantial fines (of up to R10 million per instance of breach) for which POPIA makes provision. Yesterday’s news of the Experian data leak speaks for itself. The risk lies in the substantial reputational harm to businesses that suffered a data leak or breach of the obligation to protect the personal information that they hold.
A second consideration is that the Information Regulator may investigate any complaints they receive and may on its own initiate investigations in businesses, whether a complaint was lodged or not. This means that there is not really any room to hide, in any event.
Thirdly, the Information Regulator may issue an enforcement notice if it is satisfied that the business has interfered or is interfering with the protection of the personal information of a data subject. It may require of your business to take specific steps within certain time periods, ultimately immediately interrupting your usual way of going about daily business.
I believe that the most important consequence of a failure to take POPIA seriously, is the reputational harm and loss of trust to your business. Rather be ahead of the curve and be in the position to advise your clients in the wake of news such as that of the Experian leak, that the information your business have of them, is kept safely and in line with the requirements of POPIA.
We assist businesses to adjust their systems to address the safety of personal information kept and to update policies and training, to become wholly POPIA compliant. For assistance, contact Maryna Botha on marynab@stbb.co.za.