Tag: breach

Beware dismissals based on spite

By Ivan Israelstam, chief executive of Labour Law Management Consulting

Feelings of spite arise at work for a great variety of reasons such as:

  • Power struggles between managers
  • Employees competing for advancement
  • Racial and other prejudices
  • Scapegoating
  • Managers feeling threatened by other managers or senior staff
  • Sexual affairs
  • Favouritism and victimisation
  • Nepotism
  • The development of factions

Feelings of spite occur across the spectrum of all types of employers. While these smouldering conflicts affect all levels of employees, they tend to become much more intense and damaging in the senior levels of the organisation.

For example, in the case of Joseph vs Standard Bank of SA (2001, 8 BALR 868) Joseph was dismissed for failing to be present when money was being prepared for collection. The CCMA arbitrator found that, in the specific circumstance, it was unreasonable to have expected Joseph to be present at the preparation of the cash. This was because she was required to carry out a number of other duties at the time of the cash preparation. The CCMA also found that the dismissal had been implemented out of spite due to a personal clash between Joseph and her superior. As a result the employer was ordered to pay the employee 12 months’ remuneration in compensation.

In cases of dismissal due to spite employers might lose not only financially due to CCMA awards. A more serious consequence can be negative publicity. Also, the fallout in terms of damaged employee relations, impaired teamwork, poor performance and lost productivity can cripple an organisation.

It is therefore crucial that the employer:

  • Identifies personal hostilities early
  • Accepts that it needs to be dealt with urgently
  • Assigns its best industrial relations expert to develop and implement a strategy for resolving the conflict in an orderly, fair, pragmatic and legal way.

The higher up the organisation ladder an executive goes the more likely that, where conflicts exist, the employer will try to resolve the matter quietly by putting pressure on the executive to resign. Executives and other employees often accept small or mediocre ‘settlement packages’ to avoid the discomfort of a dismissal.

However, more recently, executives have begun to dig their heels in and are more reluctant to accept packages because jobs are harder to find. This means that employees are often negotiating bigger settlement packages especially if they have the backing of an experienced labour law negotiator.

Employers are warned that the amount of the settlement tends to increase in proportion to the extent to which the employer has breached the law. For example, we recently negotiated, on behalf of an executive, a settlement well in excess of one year’s remuneration. And this is becoming a more and more common occurrence.

On the other hand, we have also been able to help employers to avoid having to pay such crippling settlements by intervening before the pawpaw hits the fan. That is, where we have been called on in time we have been able to avoid rash action by the employer which then places the employer in a stronger negotiating position.

Workplace politics are here to stay but employers and employees can, by acting timeously and sensibly, prevent them from causing irreparable harm.

By Sizwe Dlamini for IOL

Consumer, business and credit information services agency Experian has experienced a breach of data which has exposed personal information of as many as 24-million South Africans and 793 749 business entities to a suspected fraudster.

Experian confirmed in a statement on Wednesday that the breach had been reported to law enforcement and the appropriate regulatory authorities.

The company handed over information to a suspected fraudster, and the suspect had already been identified and the data deleted.

It said banks had been working with Experian and South African Banking Risk Centre (SABRIC) to identify which of their customers might have been exposed to the breach and to protect their personal information, even as the investigation unfolds.

Banks and SABRIC have also been co-operating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book.

SABRIC chief executive Nischal Mewalall said the compromise of personal information could create opportunities for criminals to impersonate another person but did not guarantee access to banking profile or accounts. “However, criminals can use this information to trick you into disclosing your confidential banking details.”

“Should you suspect that your identity has been compromised, apply immediately for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder,” said SABRIC.

Consumers wanting to apply for a Protective Registration can contact SAFPS at protection@safps.org.za.

SABRIC and SAFPS urged bank customers and other consumers to follow sound identity management practices to mitigate the risk of impersonation and fraudulent applications.

SAFPS chief executive Manie van Schalkwyk said: “Think of your identity information in the same way as you think of cash. Keep it safe and secure at all times, because once it is compromised, it can be used by anybody, often to impersonate you.”

It is also recommended that bank customers follow precautionary measures, including:

  • Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.
  • Change your password regularly and never share them with anyone else.
  • Verify all requests for personal information and only provide it when there is a legitimate reason to do so.

 

Postbank forced to replace 12m bank cards

Source: MyBroadband

Postbank needs to replace 12-million bank cards at a cost of R1-billion after its “master key” was compromised, the Sunday Times reported.

Citing several internal Postbank reports, the Times found that the bank’s master key was stored in plaintext during a data centre migration in July 2018. Two staff members also stored the key in plaintext on USB flash drives and one of the drives can’t be located.

One of the internal reports cited in the article, an overview of financial crime, reportedly stated that Postbank found 25,000 fraudulent transactions between March 2018 and December 2019. R56 million was stolen.

The master key was generated in January 2018, according to the report.

The article described the master key as a 36-digit code which allows anyone to read and write account balances, and read and change information on any of the cards the bank has issued.

The Post Office denied that its master key for Postbank’s cards had been compromised, saying that the “stories” were unfounded and only seek to create panic among Postbank’s clients.

Postbank’s clients include millions of social security beneficiaries who receive grants from the government every month.

No audit trail
Referring to another internal report titled “Overall IT Security Register” from January 2020, the Sunday Times reported that the Postbank had no logging in place to trace fraudulent transactions.

Postbank was not able to audit when an account was accessed, who accessed it, and what was done on the account.

A spokesperson for the Post Office said that it is on record that “systematic difficulties” were uncovered with the “reconciliation functionality” of the integrated grant payments system, and that the issue has been resolved.

R42-million stolen from Postbank in 2012
This is not the first time information security problems at Postbank has resulted in money being stolen.

In 2012, a syndicate stole R42 million from Postbank in a heist that took place over the New Year holidays — between 1 January and 3 January.

The syndicate opened several Postbank accounts across South Africa towards the end of 2011, and over New Year’s they gained access to a Rustenburg Post Office employee’s computer. From there the syndicate made deposits from other accounts into its own.

Over the next three days, automated teller machines in Gauteng, Free State and KwaZulu-Natal were used to withdraw cash from the accounts.

Liberty Life hacked, user data exposed

Financial services group Liberty Life sent out an SMS to their clients on Saturday evening informing them of a major security breach.

Liberty launched an investigation after its systems were hacked, and said the hackers alerted the company to potential vulnerabilities in its systems and were now demanding compensation.

The Sunday Times reported that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the data.

Liberty has communicated with its customers regularly, advising them to change passwords as applicable.

Liberty Life hack could be ‘an inside job’: expert

A security expert has questioned how hackers gained access to Liberty Life clients’ information, suggesting it could have been an inside job.

The financial services provided confirmed on Saturday that its information technology system was hacked last week, by people who demanded payment. It has since regained control of the system.

“It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person’s permissions to get into the system,” said managing director of Ukuvuma Cyber Security, Andrew Chester.

He said the hack could have been avoided by applying general data security practices such as encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.

“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted? When doing threat-hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Chester said it was also concerning that no-one detected the breach until the hackers themselves informed the company.

“There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them,” he said.

The company said its investigation into the breach was at an “advanced stage”.

Source: eNCA 

By Harry Pettit for MailOnline 

An ’embarrassing’ leak shows the European Union has fallen short of its own data protection laws.

The European Commission’s website has published 700 records, including the names, addresses and mobile numbers of conference attendees, according to a report.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation (GDPR).

The Commission has previously warned that those who breach these rules, which came into force last week, could face millions in fines.

Following the leak, a spokesperson said the authority was exempt from GDPR laws for ‘legal reasons’.

Officials in Brussels will follow a similar set of new laws that ‘mirror’ those laid out in GDPR.

These rules will not enter force until autumn, according to the Telegraph.

The spokesperson added that the Commission is ‘taking and will continue to take all the necessary steps to comply’.

GDPR aims to strengthen and unify data protection for all individuals within the EU, which means cracking down on how companies use and sell user data.

Under GDPR, companies are required to report data breaches within 72 hours, as well as allow customers to export their data and delete it.

Companies scrambled to comply with the rules before they were ratified on May 25 with the Commission threatening hefty fines for those who breached them.

The bureaucracy’s website exposed 700 records that include people’s names, professions, and even some postcodes and addresses.

Officials in Brussels admitted the authority that designed the rules is not itself compliant with the General Data Protection Regulation. GDPR aims to strengthen and unify data protection for all individuals within the EU.

The records, some of which featured the private information of Britons, were collected during EU meetings and conferences and stored on data spreadsheets.

Tech website Indivigital found the documents are among thousands hosted by the website Europa.eu that are freely accessible online.

Many of them could be found by simply searching for the document on Google.

This leak would constitute a breach of GDPR rules were the blunder committed by other organisations or businesses.

What is GDPR?

The General Data Protection Regulation is an EU-wide law that cam into force on May 25 2018.

It gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.

For consumers, it brings new powers that require firms to obtain clear consent from users before processing their data.

It also grants users a right to easily access the data collected from them and transparency on how it is being used.

Everyday users have to do very little to comply with GDPR – it’s more targeted at big online businesses.

Under the new rules, any company that controls or processes the data of EU citizens must adhere to the GDPR guidelines.

This ends territorial-based accountability used by some firms not based in the EU to previously avoid sanction.

The law also states that notification of a data breach must occur within 72 hours of being first discovered, increasing transparency around leaks.

The weight of fines able to be issued has also increased under GDPR.

Regulators will be able to issue penalties equivalent of up to four per cent of annual global turnover or 20 million euro (£17.5 million) – whichever is greater.

For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.

Fines for such a breach can reach up to £17.5 million ($23 million) or four per cent of global turnover – whichever is largest.

Jon Baines, a data protection expert at law firm Mishcon de Reya, described the ‘irony’ of the EU’s admission.

‘Although the information disclosed here does not appear to be particularly sensitive, it does raise questions about the general level of compliance, and whether any further inadvertent disclosures have been made,’ he told the Telegraph.

Steve Gailey, security expert at database security firm Exabeam, added that the exposure ‘is embarrassing for the EU, coming hot on the heels of GDPR’.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top