Tag: data

By Jan Vermeulen for MyBroadband

Customer data stolen from Africa’s largest supermarket chain is being auctioned by dark web extortion market RansomHouse, with bidding open at 20 bitcoin (R6.7-million).

Shoprite fell victim to the cyber extortion gang earlier this month, initially stating that there was a “possible data compromise” affecting some money transfer clients.

The retail group stated that some customers’ names and ID numbers were potentially leaked, specifically those who performed money transfers to and within Eswatini, Namibia, and Zambia.

However, RansomHouse soon claimed responsibility for the attack and demonstrated that it had exfiltrated names, ID numbers, and photographs of people’s government-issued identity documents.

The group claimed it compromised Shoprite’s whole know-your-customer (FICA) database for its money transfer service on 6 June 2022.

To prove its claims, RansomHouse posted 356 files containing customer identity data to its website on the dark web. Compressed, the files are just over 400MB.

RansomHouse threatened to sell the data and leak a portion online unless Shoprite paid up.

It appears Shoprite has refused to communicate with the group.

“With regards to Shoprite, we’ve made a decision to add more information about how their infrastructure was compromised,” RansomHouse said in a statement on Monday night.

“We’ll also publish the whole filetree data, so everyone could get the idea of how massive the leak actually is.”

RansomHouse said that Shoprite could easily fix the situation by contacting them.

“We’ve waited long enough for Shoprite to contact us and prevent the further leak, but they could not have cared less about their clients — they’ve only promised to notify everyone involved with an SMS,” RansomHouse said.

“This is the way large corporations prefer to deal with simple folk who entrust their personal data to these giants, not even an apology for violating all possible standards of data protection, not the slightest attempt to fix the situation.”

RansomHouse emphasised that Shoprite’s attackers did not infect the company’s systems with ransomware during the attack.

In its original notice about the breach, Shoprite promised affected customers would receive an SMS to the cell number supplied at the time of the transaction.

Shoprite said it implemented additional security measures to protect against further data loss by amending authentication processes, and fraud prevention and detection strategies to protect customer data.

It also locked down access to affected areas of its network.

RansomHouse claims that Shoprite had left customers’ data wholly unprotected.

“It’s been quite some time since we encountered something that outrageous,” the group said in an earlier statement.

“Their staff was keeping enormous amounts of personal data in plain text [and] raw photos packed in archived files, completely unprotected.”

RansomHouse said that apart from know-your-customer data, they also obtained “lots of other interesting stuff”.

MyBroadband contacted Shoprite for comment. The company did not respond at the time of publication.

 

Source: Withers World Wide

Workplace privacy arguably took a back seat during the pandemic as the working population grappled with seemingly more urgent concerns. But in the hybrid working world it is rearing its head as a difficult and complex issue for employers and employees alike.

Always on

Hybrid working has created a greater risk of work information becoming mingled with personal information as the boundaries between what is ‘work space’ and ‘private space’ and what is ‘work time’ and ‘personal time’ become blurred. This grey area can give rise to practical difficulties and potential disputes, such as the recent High Court case of Brake v Guy, which considered whether an employee who used her work email account for personal communications had any reasonable expectation of privacy in respect of those personal emails. The court held on the facts that she did not.

The use of work email accounts for employees’ private purposes is a perennial issue. Employees often forget that their employer may monitor the use of internal and external emails to ensure that its use is legitimate, lawful and not excessive. Whilst some employers may be cautious about reviewing emails which are obviously private, others may be less selective. It also creates issues for employees who are leaving a business, who may be keen to recover private emails stored on their work systems but may have difficulty sorting them from work emails or getting access to them once they are cut off from the company system.

Working world

Our work environments are changing, and fast. But how do you keep pace with change, manage your people and your business as we look to an uncertain future?

Cloud-based computing is now a key feature of hybrid working. In one case, an employee who had been using his personal phone for personal text messages had been inadvertently logged into his work cloud platform, and consequently all of those text messages (some of which related to his dissatisfaction with his employer) were uploaded to a platform visible to his employer and colleagues. In another case, an employee of a start-up using Google Docs inadvertently uploaded personal documents containing private information for the whole company to see. Such cases represent a pertinent warning as to the privacy dangers of cloud-based systems and the risk of private information coming into the employer’s domain.

Employees are also often unaware that their employers have access to their internal chat platforms, such as Microsoft Teams, and that their conversations are not in fact private. Some employers use trigger-based software to monitor red flags on such platforms, or will perform random spot-checks for compliance purposes. Some less trusting employers may resort to ‘spyware’ to monitor employee productivity and to track employee location.

Employees are also often unaware that their employers have access to their internal chat platforms, such as Microsoft Teams, and that their conversations are not in fact private.

As we highlighted in our article last year, employers can rely on software to track how employees are spending their time – how many emails are being sent per hour, how often the mouse is used, what location they are working from and to monitor teams and other messaging channels traffic. Employees should not overlook this and be aware that their use of work devices and platforms is fettered.

But there are also tricky issues for employers, who cannot simply assume that the inadvertent appearance of private information on work-based systems means that all rights to privacy in that information have been waived. Employers should question whether their information security policies are adequate, and whether they have warned staff of the consequences of mingling work and private communications and the monitoring of such communications, as well as ensuring that the consequences that follow for employees are fair and reasonable.

Regulatory alert

Employers must also be aware of the risk of regulatory intervention if they allow the use of unofficial communications channels to run riot. In December last year, the Securities and Exchange Commission in the US announced charges against J.P. Morgan Securities LLC (JPMS), after JPMS admitted that, over a three-year period, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. It received a fine of $200million.

So what’s the message?

New ways of working bring new risks. From an employee perspective, the potential technological complexity of hybrid working creates a very real risk of confidential, personal information being disseminated more widely than originally intended. Employees need to be savvy, to ensure that their expectations of privacy in the workplace have caught up with the realities of the hybrid working world.

On the other hand, privacy breaches and monitoring systems raise a range of regulatory and practical issues for employers and should not be used indiscriminately or without warning. In general, employment tribunals (and the Information Commissioner) take the view that employees ought to be warned of the consequences of the personal use of workplace systems and regulators are taking an increased interest in practices that might militate against proper record keeping, with potentially expensive consequences for employers who have failed to keep up.

 

By Penelope Mashego by Fin24

Pharmacy retailer Dis-Chem has launched an investigation into a data hack at one of its third-party service providers that resulted in an “unauthorised person” accessing the personal details of customers.

In a notice on Wednesday, Dis-Chem said its investigation so far showed that the hacker gained access to first names, surnames, email addresses and cellphone numbers belonging to more than 3.6-million people.

The retailer said it was informed about the breach – which took place in April – at the beginning of this month. It has since taken steps to establishing the scope of the breach and restore the “integrity” of its operating system

“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. However, we cannot guarantee that this position will remain the same in future,” Dis-Chem cautioned.

The retailer added that it was continuing to monitor for any publication of the personal information accessed in the breach.

“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database,” Dis-Chem said.

Dis-Chem also asked those possibly affected by the breach to be vigilant by:

  • Not clicking on suspicious links;
  • Not sharing passwords or PINs;
  • Changing passwords often;
  • Having regular anti-virus and malware scans on their devices; and
  • Providing personal information only when there is a legitimate reason.

Data bundles could last up to 6 months

By News24

Mobile data users may soon no longer have to worry about their data bundles expiring, following regulation amendments by the Independent Communications Authority of South Africa (Icasa).

In its Draft End-user and Subscriber Service Charter Amendment Regulations published last week, amending its 2018 regulations, Icasa said data bundles must remain active for six months before they expire, excluding promotional packages.

The amendments also require mobile operators to “apply data usage against the oldest of any unused data, until that data is depleted, and thereafter against the newly allocated data”.

Written submissions on the amendments will close in next month.

By Iniel Dreyer, MD at Data Management Professionals South Africa

Software-as-a-Service (SaaS), such as Microsoft 365, has changed the game for many businesses, especially those in the Small to Medium and Micro Enterprise (SMME) market. It ensures always-on access and offers cloud-based storage that means that data is available anytime and on any device.

However, this does not mean that data backup has become redundant, which is a misconception many businesses may be under – until it is too late. Ransomware and accidental deletion can still affect data stored in the cloud, and data loss events can be catastrophic for business no matter where the data is stored. It is essential to apply best practices around data management, including backing up Microsoft 365 data.

Shared responsibility

The big cloud providers like Microsoft operate on a shared responsibility model, which means that, while they are responsible for the availability of their applications, the data that these applications contain and the people that have access to this data, remains the responsibility of the customer. As long as the provider can deliver the functionality of their product, they are fulfilling their responsibility, and while they will give their best effort to assist in the event of ransomware, data loss or corruption, it is not their ultimate responsibility.

The easiest way to understand is to think of cloud storage as a data centre, or even as an external hard drive for smaller businesses. These are simply storage devices, no matter where they are located, and businesses need to take steps to protect the data that is contained in them. Whether data loss occurs through accidental deletion, malicious action or encryption via malware such as ransomware, once it is gone, it is gone, unless there is a third-party solution in place to protect data and provide a recovery mechanism.

Hidden dangers

When files are accidentally (or purposely) deleted from cloud storage, there is only a limited time period in which they will be available to recover. For example, with Microsoft 365, users have 93 days to restore deleted files from the recycle bin before they are permanently removed. After this period, unless there is some sort of backup and recovery system in place, the files are gone.

There is also the growing problem of ransomware, which does not necessarily immediately activate once it has infected data. This means that ransomware could easily be synced to cloud storage and lie in wait, sometimes even for months, before activating and encrypting data – including all of the data stored in the cloud, such as in OneDrive, as well as email, SharePoint, Teams data and more. If your native cloud storage keeps data for 90 days, and the ransomware infection occurred six months before it was activated, the only way to remove the infection would be to roll back to a copy of data prior to infection.

Holistic solutions are needed

The risk of data loss is well known – businesses cannot operate when their data is encrypted or unavailable, it is expensive and time consuming to recover, and there is significant reputational risk attached to a data breach. The trouble is that most businesses only realise how significant the impact is once something happens and it is too late.

It is imperative to have some sort of mitigation plans in place, whether this is as simple as an external storage device, or whether it is a full backup and recovery solution from a third-party provider. The key is to maintain a backup copy in a separate location to production data to enable recovery in the event of data loss.

Learn from the experience of others

The reality is that the principles and best practices around data management remain the same, no matter where data is stored. The basic steps are to make sure you are protected and can recover, and then to continually test that recovery ability. However, the reality is often more complicated, because not all data is of equal value, and most businesses are not data management experts.

There is no such thing as a ‘one size fits all’ approach to data management, protection and recovery, but the truth is that prevention is always better than cure, so some sort of system needs to be in place. Waiting for things to go wrong before trying to fix them will inevitably result in unforeseen repercussions and challenges. An experienced service provider partner can help businesses to implement the best solution for their needs based on industry, legal requirements, budgetary constraints, the value of data and more.

By Jillian Deutsch for Bloomberg

Meta Platforms has threatened to pull Facebook and Instagram from Europe if it is unable to keep transferring user data back to the US.

European regulators are currently re-working regulation on how European data is transferred across the Atlantic, after the previous Privacy Shield agreement with the U.S. was ruled invalid by the European Court of Justice in July 2020.

In its annual report published Thursday, Meta said that if it couldn’t rely on new or existing agreements — such as so-called standard contractual clauses — to shift data, then it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”

While it is unlikely that Meta would withdraw its flagship products from one of its most lucrative markets, its response highlights the increasing tension between the social media company and lawmakers over the ownership of user data.

The European Commission said negotiations with Washington have intensified, but they “take time given also the complexity of the issues discussed and the need to strike a balance between privacy and national security,” a Commission spokesperson wrote in a statement to Bloomberg on Monday.

“Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic,” the spokesperson added.

In August 2020, the Irish protection agency ruled that a company’s use of standard contractual clauses to process European data violated the GDPR and should be suspended. A final decision should come in the first half of this year.

Data protection authorities are increasingly scrutinising these kinds of supplementary security measures that have allowed companies to send data back and forth in the absence of a new agreement, according to Patrick Van Eecke, a partner and head of cyber and data at law firm Cooley LLP.

“I am not surprised companies outside of Europe are reconsidering whether or not it makes sense to continue offering services to the European market as there are not many options left any longer,” said Van Eecke.

It is not the first time Facebook has threatened to ban its services. In 2020 it said it plans to block people and publishers in Australia from sharing news, in an attempt to push back against a proposed law forcing the company to pay media firms for their articles.

Personalised customer experience is key

“Customer is king” has been a mantra of business for decades. Variations of it have been used for centuries and it carries a particular significance in marketing. However, since the process of engaging existing and would-be customers requires an intimate understanding of their needs – marketers and salespeople need to know what makes people tick. Armed with these insights, businesses can win over customers and build loyalty for long-term commercial success.

The benefits of leveraging new technologies to build customer loyalty and retention cannot be understated. A report from KPMG found that 52 percent of the consumers would buy from their favourite brand, even if it were more convenient and cheaper to buy from one of its competitors. Everything from an engaging onboarding process to unexpected rewards and other incentives can delight customers – and technology can make these experiences feel more personal than ever.

Unifying the customer experience

To have compelling conversations and build stronger relationships with customers, businesses need the right tools and structures in place.

The key to a unified customer experience is an integrated marketing system that can manage the entire customer journey. This gives businesses a single view of audience segmentation, cross-channel campaign activation, automated lead qualification, and sales generation. Once these processes are brought under one roof, marketers and salespeople can begin to approach customer journeys in a more intelligent way, determining which processes can be automated for efficiency and leveraging data to inform engaging experiences.

A good conversation takes intelligence

For marketers, intelligence is derived from data. Data helps them understand what customers have bought previously, how they browse the internet or physical stores, and the ways they interact with content.

Intelligence feeds into the way that salespeople interact with customers too. With intelligent insights and lead qualification tools, salespeople can have informed conversations with the right leads, rather than wasting both parties’ time with unproductive conversations.

Genuine sales automation also prevents salespeople from wasting time on administrative tasks. A study from Oracle found that handling repetitive administrative tasks that could be automated was the single largest frustration of salespeople, with 43% voicing their annoyance. Crucially, wasted time could be better spent acting on the intelligence provided by an integrated marketing system.

Personal experiences at scale

Marketers can go even further by building more intelligent databases and models that enable them to engage customers at scale. Data analytics help businesses make sense of big data and experiment in real time to test different strategies for engaging customers, while AI can not only personalise interactions, but also predict and individualise them.

Relationships that last a lifetime

There is no doubt that the marketing industry will undergo further changes in the future. As a result, the companies that have invested in the right customer data platform and customer relationship management system to ensure they have genuine customer intelligence are likely to come out on top. With these tools, they can implement strategies that deliver personal experiences and help create lifetime customers.

The entirety of Twitch has been leaked

By Chris Scullion for Video Game Chronicles 

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

One anonymous company source told VGC that the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.

Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday.

Twitch has confirmed the leak is authentic: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

The leaked Twitch data reportedly includes:

  • The entirety of Twitch’s source code with comment history “going back to its early beginnings”
  • Creator payout reports from 2019
  • Mobile, desktop and console Twitch clients
  • Proprietary SDKs and internal AWS services used by Twitch
  • “Every other property that Twitch owns” including IGDB and CurseForge
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users enable two-factor authentication to be safe.

If you have a Twitch account, it’s recommended that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.

To turn on two-factor identification:

  • Log on to Twitch, click your avatar and choose Settings
  • Go to Security and Privacy, then scroll down to the Security setting
  • Choose Edit Two-Factor Authentication to see if it’s already activated. If not, follow the instructions to turn it on (you’ll need your phone)

The torrent also reportedly includes Unity code for a game called Vapeworld, which appears to be chat software based on Amazon’s unreleased Steam competitor Vapor.

Meanwhile, Vapor, the codename for an alleged in-development Steam competitor, is claimed to integrate many of Twitch’s features into a bespoke game store.

Finally, the leaked documents allegedly show that popular streamers such as Shroud, Nickmercs and DrLupo have earned millions from working with the popular streaming platform.

What it doesn’t include is money that streamers have earned outside of Twitch, including merchandise, YouTube revenue, sponsorships and external donations.

The anonymous leaker has stated that this is just the first part of the content due to be leaked, but hasn’t stated what they plan to also release.

One cyber security expert said on Wednesday that, if fully confirmed, the Twitch hack “will be the biggest leak I have ever seen”.

Twitch has regularly found itself under fire from creators and users who feel the site doesn’t take enough action against problematic members of the Twitch community.

Last month a group of Twitch streamers called on other channels and viewers to boycott the site for 24 hours as a response to hate raids.

On the same day as the campaign was initially announced, Twitch posted a thread on Twitter explaining that it was attempting to stop hate raids but that it was not “a simple fix”.

“No one should have to experience malicious and hateful attacks based on who they are or what they stand for,” it stated. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators.

“Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix. Your reports have helped us take action – we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.

“We’ve been building channel-level ban evasion detection and account improvements to combat this malicious behaviour for months. However, as we work on solutions, bad actors work in parallel to find ways around them – which is why we can’t always share details.”

 

By Brett Venter for Stuff

South African insurance provider QSure was struck by a major data breach earlier this month, one that led to banking information and other sensitive data being compromised. The company hasn’t said how many records were scooped during the intrusion.

Hope they have insurance for this
Company COO Ian du Toit, speaking to TechCentral, said “On 9 June 2021, QSure became aware that it had been subject to illegal and unauthorised access to its IT infrastructure, and immediately isolated its IT network and shut down its systems.”

Du Toit added, “QSure immediately appointed three industry-leading and independent cyber-forensic and security technology firms to conduct a detailed forensic investigation into the cybersecurity incident.” He pointed out that the company has notified insurers, brokers and the relevant regulators with regards to the breach.

Data collected includes “…includes banking details, limited to the account holder name, bank account numbers and bank branch codes”, while “…policyholder identity numbers, credit card details, any form of contact details, or policy content” were not accessed. So it’s not as bad as it could have been, but it’s still… less than ideal.

QSure provides services to the South African insurance industry, including collections and premium handling, so while you may not have heard of them, there’s a chance you’ve come into contact with them at some point. If you’re affiliated with Hollard in any way, you might want to check your emails for communication in this regard.

It’s not a good month for companies. If it’s not ransomware (which is arguably the better option for end-users) then it’s data breaches. This insurance hack is just the latest in a terrible month for cyber-security.

 

By Admire Moyo for ITWeb 

The South African government − through the proposed data policy, the Draft National Policy on Data and Cloud − wants to be the co-owner of all data generated in the country.

This is according to law firm Cliffe Dekker Hofmeyr, which says the policy has already attracted widespread debate among commentators, with many saying it raises issues around privacy and has the potential to scare off much-needed investment in the sector.

On 1 April, the minister of communications and digital technologies published a Draft National Data and Cloud Policy, together with an invitation for interested parties to submit written submissions to the department within 30 business days of publication of the draft policy, by 18 May.

However, the deadline has now been extended to 1 June.

Heather Irvine, partner at Bowmans, says the draft policy aims to transform SA’s economy into a digital economy that is both data-intensive and data-driven.

In particular, she says, the draft policy acknowledges the need to realise the socio-economic value of data through policy and law and to ensure open data, which is defined in the draft policy as “…data that is made freely available for use, re-use and republishing as [a party wishes], subject to ensuring protection of privacy, confidentiality and security in line with the Constitution”.

The draft policy proposes to develop a state digital infrastructure company and high-performance computing and data processing centre.

It also aims to consolidate excess capacity of publicly-funded data centres and deliver processing, data facilities and cloud computing capacity. Government also plans to develop ICT special economic zones, hubs and transformation centres.

Digital infrastructure
In its draft policy, the department states: “South Africa’s effective response to these challenges will depend significantly on the extent to which it exploits opportunities presented by the digital economy, through the development of policy frameworks that harness the economic and social potential of data and cloud computing.

“Such policy frameworks should be citizen-centric and support already existing government initiatives of universal access and affordability of services. Most importantly, the frameworks should ensure challenges associated with lack of access to digital infrastructure, devices, software, applications and digital skills are addressed.”

Thabo Mashegoane, president of the Institute of IT Professionals South Africa (IITPSA), says the draft policy indicates government is considering the gravity of the fourth industrial revolution (4IR) and taking a progressive stand on digital development.

“This is an indication that government is moving to try to overcome challenges that have hampered its digital progress in the past – such as concerns about security when storing and moving data of national importance,” he says.

“At the same time, it indicates a willingness to address issues such as SMME access to digital technologies, a lack of digital skills in the country, and the barriers to entry preventing millions of South Africans from benefiting from the 4IR.”

However, IITPSA board member Moira de Roche notes the draft raises questions around why government would create a new platform and state-owned company to focus on data and networking, particularly since the primary purpose of government should be to set, implement and monitor policy.

She says the private sector is well-placed to partner with government on the implementation of a high-performance computing and data processing centre.

“While a Centre for High-Performance Computing exists in Cape Town, run by the CSIR [Council for Scientific and Industrial Research], there is an opportunity to expand the scope of these centres. If the private sector is brought in, and they can run the centre in a way that affords small and medium businesses access to cloud computing at a reasonable price, then it could be very beneficial.”

Informed policy development
Law firm Michalsons points out that the policy “seeks to strengthen the capacity of the state to deliver services to its citizens; ensure informed policy development based on data analytics; as well as promote South Africa’s data sovereignty and the security thereof”.

It adds this policy seeks to enable South Africans to realise the socio-economic value of data through the alignment of existing policies, legislation and regulations.

The policy further seeks to put in place a conducive and enabling environment for the data ecosystem to thrive, Michalsons notes.

The Department of Communications and Digital Technologies states the lack of proper policy guidelines with regard to data generation and storage could pose a threat to national security.

Commenting on this possibility, Christoff Pienaar, director and national head of the technology, media and telecommunications practice at Cliffe Dekker Hofmeyr, says data has always been a very important part of the national security concept.

“Inadequate data protection legislation could be a threat to national security, especially economic security. The reason for this is that countries with weak data protection legislation are perceived as unsafe destinations for data sharing and storage, and this in turn has economic consequences for such countries’ ICT sector,” he says.

 

  • 1
  • 2
  • 5

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top