The most astounding thing about the Experian security breach of 24-million South Africans’ personal data is not that the credit agency willingly gave the information to a “fraudster”, but that Experian will escape unpunished because of years-long delays in finalising the legislation.
The Protection of Personal Information Act (POPI) only came into effect this July and gives companies until next July to comply with the regulations.
That means the 24m South Africans and 800,000 businesses whose data was handed to a “suspected fraudster” by Experian have no recourse. Similarly, the so-called masterdeeds data breach – where an estimated 60m South Africans details were exposed in 2018 – also won’t be penalised.
The Popi Act finally has some real teeth to protect people’s data but endless delays mean the two biggest data breaches in South African history will go unpunished. In terms of Popi, Experian could be fined as much as R10m, while its directors be jailed for as long as 10 years.
Experian says the breach happened because of a “fraudulent data inquiry”. But it took all of June and July and half of August before Experian acted, after its “investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian”.
Although it argues that the “services involved the release of information which is provided in the ordinary course of business or which is publicly available,” it claims, “no consumer credit or consumer financial information was obtained”.
Experian claims the misappropriated data has not “been used for fraudulent purposes … [and] … the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services”.
Experian is the world’s largest credit agency and it appears to have been hacked by someone claiming to be a legitimate client.
But its explanations leave a lot of speculation about what could have been done with the data. Even though Experian said the situation had been “contained” – the alleged cybercriminal had access to the data for nearly three months.
The massive data breach actually happened in May, as Business Insider’s Phillip de Wet reported. The data was handed over on 24 May and 27 May this year, including ID numbers, telephone numbers, and physical and email addresses.
Experian only picked up that the data had been “fraudulently” obtained on 22 July, a staggering 57 days later. It executed its Anton Piller order to seize the computer hardware 84 days after the breach, on 18 August.
There goes the global reputation. Especially after the credit agency explained to De Wet what had happened. “The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline. The actual person who was impersonated confirmed that he did not have any dealings with Experian.”
The irony is astonishing. A company set up to check the creditworthiness of everyone else failed the check the identity of a potential client.
In Experian’s defence, it isn’t the only global firm to have been hoodwinked recently and come out of it spectacularly embarrassed.
The brazen hack last month of 130 high-profile Twitter accounts – including Barack Obama, Elon Musk, Bill Gates, Kanye West and US Presidential hopeful Joe Biden – was achieved with similar guile. Graham Ivan Clark, a 17-year-old living in Florida, convinced a Twitter staffer that he was a technician and got the login details for the social media giant’s account dashboard. He made an estimated US$200,000 by posting a bitcoin scam but his hacker shenanigans will probably cost Twitter $250m in fines.
The technique used in both of these breaches is known as social engineering. Simply put, it’s a way to gain access to something by convincing someone they should legitimately help the hacker. To do that the hacker needs to know enough relevant, often intimate information to pull off the con. “I work with Jack in IT but he’s off sick and I can’t find his log in details so I can fix that account problem….”.
The con just needs to be plausible enough to convince the mark to give over those details. It usually involves a plea that the conman will get into trouble and plays on human empathy and sympathy, but also gullibility.
This technique was so successful that the FBI put Kevin Mitnick on its Most Wanted List in the 1990s. Mitnick, the famed hacker who inspired the 1983’s classic film War Games, used social engineering to gain access to computer firm DEC’s network, as well as Motorola, among other high-profile hacks.
It’s an unusual return to the early roots of hacking in the 1980s, where “just for fun” hackers would break into networks “just to prove they are able to develop this kind of code,” says Eugene Kaspersky.
The founder and CEO of the eponymous internet security firm has watched the evolution of hacking from such “vandals and hooligans” into a full-blown “cyberstorm”.
The tools of the hacking trade have also evolved with the times, he warned in a recent interview: “In the Nineties we had bicycles and now we have the space shuttle”.
(Watch my full interview here: youtu.be/wE_TlAuwqX4)
Maher Yamout, a senior security researcher at Kaspersky, added this week: “Such types of threats can jeopardise users’ personal information and make them subject to online identity theft and phishing attacks. With all of this personal data being exposed, it is a safe bet that scammers will look to use this information to their benefit.”
The number of cyberattacks just keeps growing and this work-from-home era makes it easier for hackers because most people don’t have the kind of security at home that they do at work. It’s a brazen new era of cybercrime – just ask Momentum, the City of Johannesburg and its City Power division which have experienced ransomware attacks recently. South Africa experienced the third-highest amount of cybercrime victims last year, according to Accenture, which found SA had 577 malware attacks per hour, an increase of 22% over the previous year. It found R2.2bn was lost due to cyberattacks in SA, including from mobile banking app fraud.
Experian is not the last big firm that will be exposed like this, but the worrying part is the stolen data is actually our personal information. If you aren’t paranoid about your personal data, now is a good time to start hardening your security.
This article first appeared in the Financial Mail.