In South Africa’s latest major data breach, it has emerged that cybercriminals accessed the personal records of more than 1.4 million consumers and employees in a ransomware attack on the servers of Debt-IN Consultants.
African Bank has confirmed that the information of a number of customers in debt review has been compromised in the attack. Piet Swanepoel, the bank’s chief risk officer, said they have been collaborating with Debt-IN to address the breach.
“We have notified the relevant regulatory authorities and are in the process of alerting customers who have been affected via email and SMS.”
The bank said its fraud prevention team has enhanced their security measures to protect customers.
African Bank said customers who detected any suspicious activity on their accounts, or believed their information has been compromised, can apply for a free protective registration listing with the Southern African Fraud Prevention Services, which will alert banks and credit providers that their identity has been compromised.
Debt-IN provides debt recovery services to a number of financial services institutions.
It said on Wednesday that the breach occurred in April but only came to light last week “with the discovery that confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers had been posted on hidden internet sites that are only accessible by a specialised web browser”.
Debt-IN said it is working closely with the Information Regulator, law enforcement agencies and other cyber-security partners to gather facts, resolve the issue and provide ongoing information to clients.
The company said no further breaches have occurred to date.
It said it has taken “immediate and appropriate actions to reinforce existing security measures and to mitigate any further potential impacts of the breach, including assembling a team of highly regarded and globally experienced cyberbreach and forensic experts to work with Debt-IN on the incident”.
Chief executive Mark Essey said: “Debt-IN deeply regrets this cyber-attack, and we apologise unreservedly for the inconvenience and anxiety this data breach has caused our clients and their customers.”
Concerned customers and clients can email compliance@debtin.co.za or 0800 079 661 (toll-free).
Latest in a spate of attacks
The Debt-IN data breach comes as the Department of Justice and Constitutional Development is still trying to get its systems fully back online following a ransomware attack on 6 September. Ironically, the attack also affected the Information Regulator, which uses the department’s IT system.
Last week, the Hawks Serious Commercial Crime Investigation unit announced they had arrested a 36-year-old suspect for his alleged involvement in the huge data breach at credit bureau Experian in August last year.
The Hawks said the suspect downloaded the data records of about 23 million people and 727 000 businesses and tried to sell them for about R4.2 million. Some of the data was later compromised and dumped on the internet.
On 6 September, the SA National Space Agency (Sansa) said one of its data files was dumped in the public domain. However, the agency said an internal investigation had found that its network had not been breached.
And in perhaps the country’s most far-reaching incident so far this year, Transnet had to declare a force majeure between 22 July and 2 August after a cyberattack on its terminal operating system. The attack led to significant disruptions at the country’s ports. It is suspected that the attack involved ransomware.
Why hackers like ransomware
Ransomware is a type of malware (malicious software). If a computer or network has been infected with ransomware, the ransomware either blocks access to the system or encrypts its data. Cybercriminals demand a ransom in exchange for releasing the data.
In its August cyber security update, software and cloud computing company SoftwareOne said this year has seen many major ransomware attacks involving hefty ransom payments, leaked data and major disruptions. Large enterprises, NGOs, hospitals and government institutions fell victim to ransomware, resulting in enormous financial losses, operational disruptions, privacy concerns and massive lawsuits.
In one of the most significant ransomware attacks, in May, hackers forced US energy company Colonial Pipeline to shut operations and pay a ransom of 75 Bitcoins (about $5 million). The shutdown resulted in massive fuel shortages across the US. The FBI later recovered 63.7 of the Bitcoins.
SoftOne says hackers are increasing likely to use ransomware to attack IT systems. It says the main reasons for this are:
- Many ransomware victims choose to pay the ransom instead of involving law enforcement agencies to avoid the risk of losing their data. Moreover, attackers can easily cover their tracks through the receipt of ransom using cryptocurrencies and the dark web.
- Ransomware attackers have discovered how to avoid legal issues, such as by focusing their efforts on countries where the laws and regulations make it easy to avoid prosecution for cybercrimes. Law enforcement agencies from various countries often find it difficult to co-ordinate with each other because of non-existent legal channels.
- Security loopholes are common because of the speed at which software is changing. Many companies do not want to spend long periods on the quality management and security evaluation of software due to fear of falling behind.
- For small businesses in particular, the addition of tertiary storage doesn’t seem like a valuable investment. When they do become victims of a ransomware attack, they might decide it is more cost-effective to pay the ransom rather than securing their data in advance.
SoftOne says preventing ransomware attacks sometimes involves basic practices such as creating strong passwords and regularly updating your systems. Educating employees about ransomware and its harmful effects can also go a long way in preventing these attacks.
Genius hackers routinely successfully attack large financial institutions that spend tens of millions on data and information security. It is a never-ending battle of wits. What realistic chance does a run-of-the-mill FSP have to defend itself? Hacking an FSP is child’s play for even entry-level hackers and script kiddies.
POPIA and financial services regulation and legislation (e.g. BN 194 of 2017, Operational Ability) stipulate onerous and unrealistic data and information security obligations on businesses such as FSPs.
For example, BN 194 section 37:
The governance framework of an FSP must (include) risk management policies, procedures and systems, including-
(ii) systems and procedures that are adequate (when is it ‘adequate’?) to safeguard (what qualifies as ‘safeguard’) the security, integrity and confidentiality of information, including – (what is ‘information’ – does it has the same meaning as the definition in POPIA?)
(aa) electronic data security (what does ‘security’ mean?) and internal and external cybersecurity (cybersecurity is a no-contest for FSPs against hackers);
(bb) physical security of assets and records; (when is something ‘physically secure”?)
(cc) system application testing; (are FSPs seriously expected to test technology and computer systems, such as those of cloud storage service providers, web hosting companies, Microsoft software applications, Google applications?)
(dd) back-up and disaster recovery plans and procedures for systems and electronic data; (the technology company service providers, being the expert outsourced service providers, are responsible for data back-up and disaster recovery. It is what they do.)
(iii) systems and processes to ensure (i.e. guarantee) accurate (what is meant by ‘accurate’?), complete and timeous processing of data (does this have the same meaning as information processing as defined in POPIA?), reporting of information and the assurance of data integrity (what is ‘data integrity’?) (reporting of INFORMATION – assurance of DATA integrity. What is the difference between data and information?)
How can FSPs even remotely comply with these concepts?
POPIA talks about ‘personal (private) information. FAIS GCOC talks about ‘confidential information? What now?
I can see the movie in my mind’s eye: a techie was tasked to write some stuff about data and information for inclusion in financial sector legislation. This techie stuff was simply included in the legislation without much thought or consideration. So here we are – 99.9& of us cannot ever be compliant. I wonder whether the FSCA employees tasked with conducting FSP compliance audits even understand the techie jargon themselves?