Cyber breaches are real
We often hear horror stories about cyber crime and the potential effects that a cyber crime can have on a company. We hear the stories, but see few examples. This doesn’t mean that cyber crime does not occur. There are many instances where cyber crime is committed, and not reported on by the media. This is a problem, we need to hear these stories.
The Equifax saga
Equifax is a consumer credit reporting agency, much like TransUnion. The company has sensitive information about members of the public who make enquiries about the amount of credit that they qualify for. Information that the company has access to includes social security numbers, names, birth dates, addresses and in some cases, drivers licence numbers.
In September, the company reported that it experienced a data breach in July where cyber criminals accessed the private information of an estimated 145.5 million US citizens.
Equifax also confirmed at least 209 000 consumers' credit card credentials were taken in the attack. It is also believed that UK and Canadian citizens may also have been affected.
Going rouge
While this is a US example, South African companies cannot sit back and rest on their laurels thinking that this would never happen to them; especially when we look at the potential culprit in the Equifax saga.
The New York Times website reported that a former Equifax CEO told a hearing into the matter that the information was leaked because of a mistake made by a single employee.
The article points out that on multiple occasions, Richard Smith – who stepped down as Equifax CEO at the end of September – referred to an individual in Equifax’s technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach.
The article added that angry members of the committee tore into Smith and pressed him on how a credit bureau of Equifax’s size, responsible for safeguarding billions of sensitive records on Americans’ financial lives, could have allowed so much data to escape, unnoticed.
The scary thing about the Equifax saga is that, if reports are to be believed, the cyber breach occurred in one night and happened because of an unpatched piece of software that allowed cyber criminals past the company’s firewalls. The sensitive details of nearly half of the US population was stolen in a single night.
Dubious responses
So, the first lesson we can learn from the Equifax saga is that every single company that deals with sensitive information needs to increase the vigilance of the systems and processes that protect this information.
The second lesson we can learn is that a company’s response to a breach such as the Equifax breach is very important. An article on fortune.com points out that when Equifax finally discovered the disaster, its first response was not to warn consumers.
The article added that after waiting nearly six weeks before disclosing the breach in September, it hatched a strategy to turn its victims into paying customers by signing them up for credit monitoring services, which originally contained fine print depriving them of the right to sue.
Where was the protection?
In the world’s largest economy, a country that prides itself on the protection and democratic rights that it offers its citizens, where were the laws that protects the public’s right to protection of their private information?
An article on hg.org points out that the Data Protection Law deals with the security of the electronic transmission of personal data. The article adds that to date, the United States does not have any centralized, formal legislation at the federal level regarding this issue. It does however insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.
What does this mean for SA?
What does the Equifax saga mean for the South African financial services industry?
The lines between the haves and have nots in South Africa is much more sensitive than in the US which has a much larger middle class. If identity fraud is committed in South Africa, certain members of the public stand to lose everything with very little possibility of recovery.
Editor’s Thoughts:
While we know that the ball rolls very slowly in the halls of government, the Equifax saga is an alarm bell which should force parliamentarians to fast track the establishment of the Protection of Private Information (POPI) Act; a lot is at stake. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts jonathan@fanews.co.za.
