Why SA is heavily prone to data breaches
In the wake of Experian’s massive data breach last month, a new report reveals that the average total cost of data breaches for this year was R36.4m, down from R52.1m last year.
Legalbrief reports that despite the improvement, Bidvest International Logistics (BIL), a logistics businesses that provides an end-to-end supply-chain solution across several industries, is warning that SA is still ‘heavily prone’ to the threat. IBM’s Cost of a Data Breach Report 2020 covered 17 countries, including SA, with 524 organisations that had experienced data breaches recruited into the study. It was conducted between August 2019 and April 2020. The global supply-chain sector has been particularly hard hit with nearly 300 cybersecurity incidents reported last year. Ransomware attacks, which encrypt data and block access to systems until a ransom is paid, have become the most common and costly form of cyberattacks in the industry.
BIL’s IT director Lesiba Sebola said while the problem has seriously impacted on supply-chain entities, the industry is by no means the only one affected. ‘There have been a number of reported security incidents, although not specific to the supply-chain sector, that has reverberated throughout the country,’ said Sebola. A report on the IoL site notes that these include the hacking of insurance giant Liberty Life’s e-mail repository, the installation of spyware on transport operator Gautrain that cost the entity R11m, a hack into the Civil Aviation Authority’s systems, and a ransomware attack on Tracker, a stolen-vehicle-recovery company. ‘In most of these incidents, the underlying cause was social engineering, which, in the context of data security, is manipulating people into divulging confidential or personal information that may be used for fraudulent purposes,’ Sebola said. The IBM report revealed a growing divide between organisations that have advanced security processes and those with less advanced protocols in these areas. And while many people believe that data protection is an IT issue, BIL doesn’t hold this view. ‘IT is just a component in the protection strategy,’ Sebola said. He added that companies need to get the basics right as far as developing and implementing a cybersecurity policy, and then adhere to it.
Worldwide, the cost of a breach is largely going up. The Middle East was the second costliest region last year. Canada and Japan – third and fifth on the list respectively – saw their average costs go up too. The full report, which spans 82 pages, digs into the numbers further. For the 10th year in a row, healthcare organisations have had the highest costs associated with a data breach. This year IBM claims on average that a healthcare breach costs an organisation $7.1m, up slightly from last year ($6.45m). The Digital Guardian reports that the second costliest industry, the energy sector, cost firms $6.39m on average. Only three industries saw an increase in the total cost of a breach: Healthcare – a 10.5% increase, energy – a 14.1% increase, and the retail industry, which saw a 9.2% uptick.
Meanwhile, Experian says it is actively pursuing both criminal and civil charges against the perpetrator who walked off with records of millions of South Africans after impersonating one of the company’s clients. CEO Ferdie Pieterse confirmed that civil and criminal procedures were being pursued against the perpetrator as the credit bureau took every step available to limit the impact to citizens and businesses in SA. Business Day reports that the most astounding development relating to the Experian breach is not that the credit agency willingly gave the information to a ‘fraudster’, but that Experian will escape unpunished because of years-long delays in finalising legislation. The Protection of Personal Information (Popi) Act only came into effect in July this year and gives companies until next July to comply with regulations. As a result, the 24m consumers and 800 000 businesses whose data was handed to a ‘fraudster’ by Experian have no recourse. And the so-called Master Deeds data breach – where an estimated 60m South Africans’ details were exposed in 2018 – also won’t be penalised. Experian says the breach happened because of a ‘fraudulent data inquiry’. But it took 10 weeks before Experian acted, after its ‘investigations indicate that an individual in SA, purporting to represent a legitimate client, fraudulently requested services from Experian’.