Category Technology
SUB CATEGORIES General |  Systems |  Magazine |  DigiMags - Systems | 

Human error, fraud, and negligence at the heart of many data breaches

24 August 2020 Gareth Stokes

There was a nice surprise waiting in our email inbox on 19 August 2020 in the form of a notification letter from Standard Bank that our personal data may have been compromised. At a time when stories of cybercrime and data hacks make daily headlines, you can imagine the negative scenarios that started playing out. Dear Standard Bank client, started the message, “You may have noted an announcement by the South African Banking Risk Information Centre (SABRIC) and the Southern African Fraud Prevention Service (SAFPS), informing the public of an external credit bureau incident which occurred within Experian, a credit reporting partner to the financial services industry in South Africa”.

They say forewarned is forearmed; but…

The bank went on to inform us that we were among the clients affected by what they termed an “external credit bureau incident” and that we should visit the credit bureau’s website to find out what personal data fields were compromised. This we duly did, in a bit of a panic. Except, upon arriving at our appointed online destination, we found nothing that might assist us in following the bank’s instruction. Instead, we found a rather benign statement that noted: “We are investigating an isolated incident in South Africa involving a fraudulent data inquiry”. They go on to say that they voluntarily provided credit information to an external third party that had fraudulently represented itself as a legitimate Experian client. 

According to Experian the data ‘breach’ involved the release of information which is provided in the ordinary course of its business, or which is publicly available. The firm’s infrastructure, systems, and database had not been compromised. It took fast action, including reporting the incident to law enforcement, the National Credit Regulator, and the Information Regulator. They are also working closely with banks to manage the situation. But their statement contrasts with that issued by SABRIC, which opined that the personal data from some 24 million South Africans and almost 800,000 businesses had been exposed. 

Regardless of the extent or nature of this data breach, which to involve one party ‘tricking’ another to part with data it had no rights to, we can expect local consumer media, and many non-life insurers that offer cyber protection cover, to proclaim the incident as justification for cyber protection. 

Are banks overstepping the mark?

They say forewarned is forearmed; but was it really necessary for Standard Bank to inform clients of an incident that looks, at first glance, like a non-event? FNB, where we have another account, issued a less strident warning that read: “Customers are advised to be extra vigilant and follow our recommended security precautions”. It seems irrational to create panic among customers following an incident where, per Experian’s statement, “no consumer credit or consumer financial information was obtained” and where “the misappropriated data has not been used for fraudulent purposes”. 

It appears that the third party sought the data with the aim to market financial services products to names so obtained. Quick action resulted in the third party’s hardware being impounded, and the misappropriated data being secured and deleted. Get your popcorn ready; because it is likely the Information Regulator will use this soon-to-be widely publicised data incident to test its powers. It was, after all, only a couple of months ago that our president promulgated various sections of the Protection of Personal Information (POPI) Act. 

Experian will be nervously eyeing the R10 million maximum enforcement penalty that the regulator can levy; but will probably be saved by the fact that the recently promulgated sections of the Act are only in force from 1 July 2021. The third party will hopefully face the full force of the law. 

From strange to stranger still

Of course, things can always get stranger in a world where customers’ interests are at odds with those of a commercial entity. We were surprised that the credit provider’s admission of acting fast and loose with customer data could be followed by a plea for anyone who feared they may be affected to check their credit report, which involved sharing personal data with the very entity that was just compromised. 

Writer’s thoughts:
The Experian data breach and the actions taken by SABRIC and various banks to inform their clients immediately following the incident poses an interesting question for financial advisers. Would you, as a financial adviser, upon reading news of such an incident, have a duty to inform your clients of the possible compromise of their personal information? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts [email protected].


Added by cynical simon, 24 Aug 2020
As this information seems to be out in the public domain I personally don't think Brokers have a duty to inform clients thereof.
I however refuse to accept this ads a non-event.
It touches on a bigger and possibly deadly toxic situation namely that information on the internet is no longer confidential.
The sooner we accept this fact the better it will be for everybody.
Report Abuse

Comment on this post

Email Address*
Security Check *
Quick Polls


How can medical schemes demonstrate value in a post-pandemic economy?


Focused yet simple communication is crucial to demonstrate the cover's value
It is critical for medical schemes to focus on the customer experience and satisfaction
It is vital to get benefit communications and customer experience on point
fanews magazine
FAnews October 2020 Get the latest issue of FAnews

This month's headlines

Transformation trends - Tough commission procurement rule could dent insurers’ B-BBEE scorecards
Business interruption losses… the uninsurable
Are annuities tailor-made for today’s investors?
Reframing clients’ notions about retirement
In search of sustainable drought solutions
From risk to resilience - What the latest mindshift means for insurers
Subscribe now