On Tuesday night, it emerged that South Africa has suffered a massive data breach – possibly the biggest to date – in which the personal information of nearly 32 million South Africans found its way onto the internet.
While this obviously poses many risks to those affected, which is the majority of the country’s population, it also once again highlights our lackadaisical and fragmented approach to cyber security.
The breach is also a sad indictment of our poorly formulated and thought-out legislation that deals with cyber security and the safeguarding of personal information by local entities.
It exposes the lack of political will to close the loopholes that would protect people’s sensitive information.
While we are still in the dark as to the source of the leaked information, it would appear that the data breach – most likely the work of hackers – was the result of an attack on a government or commercial entity.
The breach came to light this week when Australian information security researcher Troy Hunt tweeted on Tuesday that he had, in his possession, a very large breach titled “masterdeeds”.
Hunt revealed that the records – pertaining to 31.6 million South Africans – contained detailed information, including names‚ ID numbers, genders‚ ethnicities‚ home ownership, physical addresses, postal addresses, LSM levels, marital status and estimated income, among others.
According to media reports, Hunt discovered the data trove among a large dump of other breaches.
While the IT security researcher said he has not yet seen the data offered for sale, he added that it was definitely floating around between traders.
What’s truly frightening is that the breach reportedly occurred in March this year and contains information from as far back as the early 1990s.
At this point, speculation is that the information most likely comes from either a government source or a commercial entity, such a bank or credit bureau, but this is yet to be confirmed. So why should South Africans be worried? Quite simply: identity theft.
A breach such as this, containing such detailed sensitive information, exposes people to fraud, identity theft and a host of other criminal activity.
One would hope that since the data breach has now come to light, the hacked entity will do the right thing and confirm the leak and inform everyone affected.
Also, it would be particularly helpful if the said entity would then work with the exposed parties to mitigate the risk and minimise the damage and subsequent costs to all concerned. But don’t count on it.
Unlike in many other parts of the world, South Africa does not have laws that compel an organisation that has suffered a breach to actually admit to it.
Not surprisingly, given the potential reputational damage a data breach could cause, South African entities choose to simply keep quiet and pretend nothing’s happened.
This while you’re being married off to a Nigerian national, opening store accounts and buying property … so, yes, be afraid.