4 lessons for businesses on South Africa’s biggest data breach

While massive data breaches are associated with international companies such as Ashley Madison or LinkedIn, South Africa is no stranger to customer data being released into the public domain by cybercriminals.

In fact, it was in October 2017 when security expert Troy Hunt stumbled across the largest data breach in South African history.

The personal data of millions of South Africans was compromised when a database backup file titled “masterdeeds.sql” was leaked publicly online. The data contained millions upon millions of ID numbers, as well as contact details, addresses and income of certain individuals. It’s rumoured that even President Jacob Zuma’s cellphone number was available in the data.

This data had been publicly available for over seven months — an alarming amount of time for the leak to go undetected.

With over 60-million unique ID numbers (more than the country’s population) available in the file, it’s likely that the majority of South Africans were affected. Even certain deceased citizens had their information exposed.

Dracore Data Sciences was identified as the possible source the information, which was collected and then made available to clients. However, while they may have collected the information, it was not through their servers that the data was leaked. Rather, the data was leaked from the servers of property company Jigsaw Holdings.

The seriousness of the situation is evident from the launch of Home Affairs and Hawks investigations into the breach.

So what can other companies learn from this breach to ensure they don’t find themselves in a similar situation?

Don’t collect customer data that’s not relevant to your business

People generally don’t like their information being collected without their permission, never mind data that provides excessive amounts of personal detail.

“The premise of a private company collecting huge troves of data about individuals without their consent then monetising it by selling it to other organisations who may then mishandle it (as is obviously the case), is alarming,” Hunt says in a blog post on the breach.

“Dracore may not be the ones who published the data to the internet, but questions must be asked about whether an organisation like that should have had it in the first place.”

The Protection of Personal Information (PoPI) Act will greatly curb this kind of data collection — businesses will need to secure permission to collect consumer information and this information may not extend past valid reasons for collection. For example, for a mailing list, a customer will need to give permission for companies to keep their email address. Companies will not be able to collect information such as age, gender, and other contact details, without valid reasons.

The ETA for the implementation of the PoPI Act is uncertain, but businesses should start adjusting their practices to become compliant.

Avoiding the excessive collection of client information can also protect a business from liability, as data breaches that severely impact consumers can lead to lawsuits and penalties.

Any data that you do store needs to be highly secured

A major flaw that led to the Masterdeeds breach was lax cybersecurity on the Jigsaw Holdings server.

“The question around this breach is why this data was sitting on a web server unsecured,” Sharon Knowles, CEO of cybersecurity firm Da Vinci Forensics, told Memeburn.

She adds that the PoPI Act can’t protect data from being leaked — it’s a company’s responsibility to ensure that they are compliant with data protection regulations.

The kind of data exposed by the Masterdeeds leak could have severe effects on consumers. As Knowles points out, consequences could include ID theft, personal information being sold on the dark web to the highest bidder, and fraudulent applications for credit.

In a day and age where cybersecurity audits and secure document management systems can be outsourced easily, without the need for a dedicated in-house IT team, businesses are running out of excuses when it comes to inadequate encryption and protection of data.

Only need-to-know personnel should have access

One of the best steps companies can take towards protecting data is limiting the number of people who can access it.

You wouldn’t let the new intern access payroll documents, so you shouldn’t make client data available to everyone. Only essential personnel who need to access it to perform their job specification should have access.

This increases the protection of data as it limits the number of PCs, mobile devices and user profiles through which information can be leaked. You can then focus on ensuring that the devices and profiles of these users have the necessary anti-malware and encryption software needed to keep data out of the hands of cybercriminals.

You should also make sure that the companies that store or backup your data have the necessary security in place.

“The biggest lesson would be: who are your service providers and business partners, what risk do they pose to your data security and are they regularly vetted and risk assessed?” questioned Knowles.

Educate your staff

While the investigations into the breach haven’t answered how exactly the data was leaked, some cybersecurity experts theorise that hackers gained access via a phishing email.

Employees can often be the weakest link in a company’s cybersecurity if they do not know how to avoid phishing scams and malicious software downloads.

This is why every company should educate their staff in cybersecurity practices. This includes how to identify scam and phishing emails, how to identify suspicious sites, and how to keep company login and password information secured and secret.

Knowles says that more lessons will be clearer once the cause of the leak is determined. However she says that certain security flaws contribute to the majority of breaches.

“I will tell you that 63% of all breaches involved a weak password.” Furthermore, many phishing campaign links are clicked within their first five minutes of being sent out.

As a result, it’s essential to make sure your staff don’t compromise your business through ignorance.

Feature image: Markus Spiske via Unsplash