Tag: data breach

Source: Business Insider 

Information apparently drawn from a massive leak of its data is “on the Internet”, credit bureau Experian admitted on Tuesday night.

To date the company has insisted it had contained the breach, after handing over data on millions of South Africans, and bank account details of businesses, to someone it describes as a fraudster.

Now it says it will work to stop the further spread of the information.

As part of its investigation, “we have identified files which we believe contain Experian data relating to the incident on the internet,” Experian said in a statement.

“We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”

It also claimed – in direct contradiction to a timeline it has confirmed – to have taken “immediate steps to make sure that individuals and businesses in South Africa could take steps to protect themselves” once it became aware of the breach.

Experian announced the breach publicly in August, and banks started to issue warnings to their customers that the leaked information may be used to scam them.

What the company failed to mention, until questioned by Business Insider South Africa, was that it had handed over the information in late May, and noticed it had done so nearly two months later, in July.

It took nearly another month to investigate and obtain a private seizure order to recover the hardware on which the data had been stored.

Only after that did Experian tell consumers about the breach.

Having seized the hardware, the company said, it had contained the incident.

“We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts,” Experian said, when Business Insider asked how it knew the information had not been sold or distributed in the nearly three months it was with the “fraudster”.

“Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers.”

Experian has not said how it initially failed to detect the spread of the information, or exactly how it intends to contain the data this time around.

 

By Phillip de Wet for Business Insider SA

South Africa’s largest ever data breach has now been contained, says credit bureau Experian, which handed over the personal details of some 24 million people to an individual it now calls a fraudster.

But it is still not clear what happened between the end of May – when Experian handed over that data – and mid August, when that containment actually took place.

On Thursday Experian confirmed that what it terms “the release” took place on 24 May and 27 May. That was when it handed over data including ID numbers, telephone numbers, and physical and e-mail addresses of more than 23 million individuals and nearly 800,000 businesses to someone who presented themselves as authorised to have that information.

As of Thursday, South Africa’s largest banks are warning affected and potentially affected customers to exercise heightened vigilance, because that information could be used in identify theft attempts, or to convince people to hand over more information.

For all of June, July, and the first two weeks of August, customers were not aware of that possibility, though, as Experian first sought to plug the leak.

This week the company said it had secured the hardware the information had been stored on via an Anton Piller, a court order that allows for search and seizure without prior warning in order to preserve evidence in civil cases.

“[W]e delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we therefore could not make the incident public,” the company told Business Insider South Africa on Thursday.

Experian said it had detected the breach on 22 July – 57 days after handing over the data.

“The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline,” the company said in response to questions. “The actual person who was impersonated confirmed that he did not have any dealings with Experian.”

It immediately started to investigate, Experian said, but needed “to ensure that we have the necessary evidence that is required to apply for the Anton Piller order.”

It actually applied for that order on 13 August, 79 days after handing over the data.

The order was fully executed by 18 August – 84 days after the breach.

On Thursday Experian said it believes “that the incident has been contained”, after it seized hardware from the suspected fraudster and the data was “secured and deleted”.

Asked why it believed the data had not been sold or otherwise passed on in three months, the company said:

“We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts.

“Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers.

“Due to the serious nature of the Anton Piller order, we are not permitted to share any details around this.”

The company also reiterated that it believes the breach was not that big a deal, as the “consumer information concerned was publicly available information”.

By Sizwe Dlamini for IOL

Consumer, business and credit information services agency Experian has experienced a breach of data which has exposed personal information of as many as 24-million South Africans and 793 749 business entities to a suspected fraudster.

Experian confirmed in a statement on Wednesday that the breach had been reported to law enforcement and the appropriate regulatory authorities.

The company handed over information to a suspected fraudster, and the suspect had already been identified and the data deleted.

It said banks had been working with Experian and South African Banking Risk Centre (SABRIC) to identify which of their customers might have been exposed to the breach and to protect their personal information, even as the investigation unfolds.

Banks and SABRIC have also been co-operating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book.

SABRIC chief executive Nischal Mewalall said the compromise of personal information could create opportunities for criminals to impersonate another person but did not guarantee access to banking profile or accounts. “However, criminals can use this information to trick you into disclosing your confidential banking details.”

“Should you suspect that your identity has been compromised, apply immediately for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder,” said SABRIC.

Consumers wanting to apply for a Protective Registration can contact SAFPS at protection@safps.org.za.

SABRIC and SAFPS urged bank customers and other consumers to follow sound identity management practices to mitigate the risk of impersonation and fraudulent applications.

SAFPS chief executive Manie van Schalkwyk said: “Think of your identity information in the same way as you think of cash. Keep it safe and secure at all times, because once it is compromised, it can be used by anybody, often to impersonate you.”

It is also recommended that bank customers follow precautionary measures, including:

  • Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.
  • Change your password regularly and never share them with anyone else.
  • Verify all requests for personal information and only provide it when there is a legitimate reason to do so.

 

Nedbank’s client data hacked

Source: Xinhuanet

Nedbank service provider’s IT systems have been breached, exposing the personal information of up to 1.7 million clients, said the bank last Thursday.

Computer Facilities, which does direct marketing for Nedbank by sending short messages and email marketing information on behalf of the bank, was breached.
The bank said there was some “potentially compromised data” which included names, identity cards numbers, telephone numbers, physical and/or email addresses.

“We regret the incident … and the matter is receiving our urgent attention. The safety and security of our clients’ information is a top priority,” said Nedbank CEO Mike Brown, adding that the bank systems or client accounts were not impacted.

“We are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities,” said Brown.

Nedbank group Chief Information Officer Fred Swanepoel said they have secured and destroyed all their client information held by Computer Facilities.

Last year the City of Johannesburg’s system was hacked and some payment in bitcoins were demanded. In 2017 South Africa’s insurance company Liberty was hacked and demanded ransom.

By Warwick Ashford for Computer Weekly

The cost of a data breach has risen 12% over the past five years to £3.2m on average globally, with a 10.56% increase in the UK in the past year alone to £2.99m on average, a study reveals.

In the UK, the average size of a data breach has increased 3.6% and the per capita cost per lost or stolen record is £119, which represents an increase of 9.69% from 2018 and has nearly doubled in the past ten years, according to the annual Cost of a data breach report conducted by the Ponemon Institute and sponsored by IBM Security.

The rising costs are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the report said.

The report based on in-depth interviews with more than 500 companies around the world who suffered a breach over the past year, including 45 in the UK, and takes into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.

The study found that data breaches in the US are the most expensive, costing $8.19m (£6.6m), or more than double the average for worldwide companies in the study, and that the cost for data breaches in the US has increased by 130% over the past 14 years from $3.54m (£2.8m) in the 2006 study.

The financial consequences of a data breach, the report said, can be particularly acute for small and midsize businesses. Globally, companies with fewer than 500 employees suffered losses of more than £2m on average, which is a potentially crippling amount for small businesses, which typically earn £40.1m or less in annual revenue.

The report also examined the longtail financial impact of a data breach, finding that the effects of a data breach are felt for years. While an average of 67% of data breach costs were realised within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach.

A co-ordinated global cyber attack could have an economic impact of up to $193bn, an insurance industry-backed report claims.

Most businesses are not applying common encryption tools effectively to contain the fallout and costs of data breaches, research shows.

Despite the danger posed by cyber attacks to mid-sized companies, boards are not prepared to manage the risk and firms are over-confident in their cyber capabilities, report finds.

The longtail costs were higher in the second and third years for organisations in highly regulated environments, such as healthcare, financial services, energy and pharmaceuticals.

“Cyber crime represents big money for cyber criminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services.

“With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs,” she said.

The report found that malicious breaches are the most common and most expensive, with 51% of data breaches in the study in the UK and globally resulting from malicious cyber attacks (up from 42% globally in the past six years) and costing companies £805,000 ($1m) more on average than those originating from accidental causes.

However, the report said inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies £2.8m ($3.5m) and £2.6m ($3.24m) respectively.

These breaches from human and machine error represent an opportunity for improvement, the report said, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on.

One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year, according to the IBM X-Force Threat Intelligence Index.

“Mega breaches” the report said, typically lead to “mega losses”. While less common, breaches of more than one million records cost companies a projected £33.8m ($42m) in losses, and those of 50 million records are projected to cost companies £312m ($388m).

For the 9th year in a row, the study found that healthcare organisations had the highest cost of a breach of nearly £5.2m ($6.5m) on average, which is more than 60% greater than other industries in the study.

The report notes that the past 14 have shown that the speed and efficiency with which a company responds to a breach has a significant impact on the overall cost.

This year’s report found that the average lifecycle of a breach was 279 days, with companies taking 206 days to first identify a breach after it occurs, and an additional 73 days to contain the breach.

Incident response
The study shows that companies with an incident response team that also extensively tested their incident response plan experienced £990,000 ($1.23m) less in data breach costs on average than those that had neither measure in place. While companies that were able to detect and contain a breach in less than 200 days spent £965,000 ($1.2m) less on the total cost of a breach.

This appears to be an area that needs some attention in the UK, where the mean time to identify the data breach increased from 163 to 171 days from 2018 and the mean time to contain the data breach increased from 64 to 72 days.

Globally, the study found that companies that had fully deployed security automation technologies experienced around half the cost of a breach (£2.1m on average) compared with those that did not have these technologies deployed (£4.15m on average).

Extensive use of encryption was also a top cost saving factor, reducing the total cost of a breach by £289,000, the study shows.

Breaches originating from a third party – such as a partner or supplier – cost companies £297,000 more than average, the report said, emphasising the need for companies to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.

Researcher reveals Eskom data leak

By Charlie Osborne for Zero Day 

In what may be a case of “if we ignore it, it will go away,” South Africa’s largest electricity company has become the subject of the public exposure of customer data after ignoring researcher pleas to resolve the problem.

Eskom is South Africa’s state-owned electricity company which generates approximately 95 percent of the region’s electricity, as well as roughly 45 percent of all of the electricity used across the African continent.

On Tuesday, cybersecurity researcher Devin Stokes sent a public tweet to Eskom which appears inlaid with frustration at non-communicativeness from the electricity provider.

Stokes said, “You don’t respond to several disclosure emails, email from journalistic entities, or Twitter DMs, but how about a public tweet? This is going on for weeks here. You need to remove this data from the public view!”

The following image contains a screenshot of what appears to be customer and service-related data, including account IDs, start and end service dates, and meter information:

Several hours later, Stokes published a further screenshot with a live timestamp, commenting, “OK. It got worse.”

It appears that this database entry contained some of the financial data of a customer, including name, card type, a partial card number, and CVV, the three-digit security code which is required for purchases in-person or online.

According to the researcher, the electricity provider has left its billing software database exposed, lacking so much as a password.

The most recent customer estimates available, published in 2016, claim that Eskom accounts for roughly 5.7 million customers across South Africa. It is not known how many customers may have been involved in the reported breach.

However, this may not be the only security failure Eskom needs to grapple with — as one of the company’s own employees may have complicated matters further in their gaming enthusiasm.

In a screenshot posted by MalwareHunterTeam, another Twitter user warned Eskom of the existence of a Trojan on one of their networked, corporate machines. The user reported that the Trojan infected the machine through a fake SIMS 4 game installer.

The Twitter user, going under the handle “@sS55752750,” added that the offending employee is a “senior infrastructure advisor.”

While there has been no news on the exposed database, Eskom did thank the researcher who disclosed the Trojan’s existence, saying, “This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention.”

“Accidental breaches of this type further drive home the point that every company should have a formal process to accept vulnerability reports from external third parties,” Jon Bottarini, Lead Technical Program Manager for HackerOne told ZDNet in response to the news. “Exposing the vulnerability details on Twitter seems to have been the last-ditch attempt on behalf of the security researcher to try and get in contact with someone who can resolve the issue.”

Eskom told ZDNet that the company is “conducting investigations to determine whether sensitive Eskom information was compromised as a result of this incident,” but will not comment further until the investigation has been concluded.

By Tehillah Niselow for Fin24 

Liberty Holdings customers received SMSs on Saturday alerting them that personal information related to their insurance policies could have been stolen by an external party.

The Information Regulator, which has asked for information about the Liberty breach, is clearly concerned about the increasing number of cyber attacks affecting personal data in South Africa.

“Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in the Protection of Personal Information Act (POPIA),” said chairperson Advocate Pansy Tlakula.

Tlakula urged “the powers that be to assist it in fast tracking its operationalisation”.

According to corporate law firm Michalsons, certain limited sections of POPIA have already been implemented. However, the bulk of the legislation will only commence at a later date, to be proclaimed by the president. As there is a one-year grace period, the POPIA deadline might only be set for the end of 2019 or in 2020.

In the meantime, South Africans are coming under heightened attack from cyber criminals and hackers.

Andrew Chester, MD of Ukuvuma Security, told Fin24 that affected clients or users should immediately alert their banks and cellphone provider. They should also undertake a credit check as well as a Google search to determine whether their personal information is in the public domain.

Liberty email hack

In SMSs to clients on Saturday, financial services company Liberty informed them that its email repository had been breached by a third party trying to demand a “ransom” in exchange for the data.

Liberty has not revealed much about the breach, citing a police investigation. CEO David Munro confirmed that Liberty’s insurance clients were the only ones affected, and that none of its other business had been compromised.

The company said none of its clients have been impacted financially, and that individuals will be personally advised if their information has been affected.

ViewFines licence details

In May the Hawks, the State Security Agency and the Information Regulator said they would probe the breach of personal records of 943 000 South African drivers, allegedly from online traffic fine website ViewFines.

The information reportedly contained the names, identity numbers and email addresses of South African drivers stored on the ViewFines website in plaintext.

The ViewFines website is owned by Aggregated Payment Systems. News24 reported that its operations manager confirmed the company was “implementing security measures immediately” to improve the website after being informed of the breach.

The source of the data was located by Troy Hunt, an Australian security researcher and creator of the free service Have I Been Pwned, which checks whether an individual’s information has been compromised.

Facebook scandal

While Facebook founder and CEO Mark Zuckerberg had to face angry lawmakers in the US and European Union, it was reported that the data breach involving the UK political consultancy affected almost 60 000 South African users.

In May, the Information Commissioner’s Office of the United Kingdom (which regulates Facebook outside the US and Canada) advised the Information Regulator of South Africa that over 87 million people had been affected worldwide.

However, no evidence could be found of South Africans having been targeted, as the majority of users involved were in the US.

Master Deed’s data breach “biggest” digital security threat in SA

Hunt was once again instrumental in revealing what was known as the “biggest” data breach in South African history, together with iAfrikan CEO Tefo Mohapi in October 2017.

Over 60 million South Africans’ personal data, from ID numbers to company directorships, was believed to have been affected.

The information was traced to Jigsaw Holdings, a holding company for several real estate firms including Realty1, ERA and Aida. The information reportedly came from credit bureau agencies, and was used to vet potential clients.

The information trove was found not to have been hacked, as it was stored in an easily accessible manner on an open web server.

Ster-Kinekor’s database compromised

Movie theatre chain Ster-Kinekor was responsible for up to 7 million South Africans falling victim to a data leak in March 2017.

Fin24 reported that Durban developer Matt Cavanagh announced he had discovered a flaw in Ster-Kinekor’s booking website, and that he had reported it to the company.

There were between 6 and 7 million users in the database. Of those, 1.6 million people had email addresses linked to them on the movie theatre chain’s database.

Source: EWN 

Nearly 60 000 South African users have allegedly been impacted by the Facebook/Cambridge Analytica data breach.

The breach which affects more than 87-million Facebook users came after some 270,000-people allowed use of their data by a researcher.

In 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. Through the app, Kogan scraped the data of all their friends as well, a move allowed by Facebook until 2015.

The researcher then sold the data to Cambridge Analytica, which was against Facebook rules.

A Facebook spokesperson says 33 users in South Africa downloaded the quiz app and the 59,777 were friends of those who would have installed the app elsewhere in the world.

Facebook CEO Mark Zuckerberg says there was a breach of trust between Kogan, Cambridge Analytica and Facebook.

“But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”

Zuckerberg says Facebook has a number of plans to prevent something like this happening again.

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.”

By Alex Hern for The Guardian 

Facebook has started the process of notifying the approximately 87 million users whose data was harvested by the election consultancy Cambridge Analytica.

The social network eventually hopes to inform every user who was affected with a warning at the top of their Facebook news feed. For now, however, individuals can check by going to a new help page on the site or searching for “How can I tell if my info was shared with Cambridge Analytica?” in Facebook’s help centre.

Most users will see a message saying that “neither you nor your friends logged into ‘This Is Your Digital Life’”, the personality quiz that Cambridge Analytica used to gather its data.

Around 87 million individuals, including more than 1 million people in the UK, will receive a different response saying “a friend of yours did log in”.

That means that their public profile, page likes, birthday and current city were likely shared with the company, as well as potentially the contents of their news feed at the time.

Around 300,000 people – including 53 people in Australia, 10 people in New Zealand, and an unknown number of users in the UK – will receive a message informing them that they installed the This Is Your Digital Life app.

This means they almost certainly handed over the personal information of all their Facebook friends at the time, as well as formed part of the core group for the psychometric profiling that Cambridge Analytica carried out during the US election campaign.

Facebook has promised widespread changes to its platform to prevent further “abuse” of the sort it attributes to Cambridge Analytica. “These actions would prevent any app like [This Is Your Digital Life] from being able to access so much data today,” the company said in March.

By Eric Johnson for Recode 

Starting with its very first episode, the HBO TV series “Silicon Valley” satirized the idea that tech entrepreneurs were “making the world a better place.” But Yelp CEO Jeremy Stoppelman said people in his industry really believe that – or, at least, they used to.

“That’s something that I would say most people in Silicon Valley would like to believe,” Stoppelman said on the latest episode of Recode Decode.

“I think we’re waking up to realize a lot of big companies, presumably under pressure to grow and satisfy Wall Street, are focusing more on growth and making money than sticking to some core set of values that are aspirational.”

Stoppelman said the ongoing crisis of techlash is a reflection of some leaders’ inability or unwillingness to commit to corporate values early in their businesses’ existence, although he agreed with Apple CEO Tim Cook that “not all companies are created equal” in that regard.

“In some ways, Silicon Valley as a whole has lost its purpose,” Stoppelman said. “If its purpose really was, ‘Hey, we’re really trying to have a positive impact,’ just focusing on technology and growth might not be enough. You might actually have to make decisions that hurt growth.”

On the new podcast, Stoppelman also talked about Yelp’s years-long feud with Google. Yelp contends that Google has unfairly favored its own local listings in search results, something Stoppelman said the Google of the past would have criticized.

“The 2004 Google — the Larry Page-Sergey [Brin] Google — would make absolute fun of the search results you see today,” he said. “They pointed at Yahoo and said, ‘Look at Yahoo! They’re trying to trap you in their ecosystem. They don’t want you to get to the best of the web.’”

Scrutiny of big tech, he noted, is one of the few political issues that seems to have bipartisan support in the U.S. right now. But ultimately, despite some welcome regulations in the EU, Stoppelman said Yelp is carrying on with the assumption that the status quo is not about to be upended stateside.

“Obviously, we live in reality, and the government is not the speediest at dealing with these situations,” he said. “So we just find our way.”

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top