The last 12-months has seen several high-profile data breaches. In Europe, data protection has been under the microscope for 24-months in the run-up to the now active General Data Protection Regulation (GDPR). Now in a similar vein, in South Africa, organisations are beginning to prepare for the announcement and implementation of the Protection Of Personal Information Act (POPI).
The latest breach making headlines in South Africa is the news that just under a million personal records have been leaked online. The effects of this breach could see fraud on the rise and for the organisation at fault, customer confidence is certain to be low. Security Analyst and Consultant, Troy Hunt, founder of haveibeenpwned was able to identify the breach which was communicated to technology news publication iAfrikan.
The leak of approximately 934,000 personal records contained highly sensitive information including:
- National Identification numbers
- Email addresses
- Full name
- Plain text passwords
The data was later revealed to have leaked from an unsecured web server belonging to traffic fine organisation, ‘ViewFines’.
Global breach landscape
Global data breaches have been on the rise and it is not uncommon to read stories of organisations who have lost data to a breach. In South Africa, breaches have also been on the rise and in 2017 the country saw its largest-ever data breach when the firm Dracore Data Sciences leaked a huge 75 million records from a database. This breach was also related to an unsecured web server and was said to have contained the personal records of 60 million South African citizens.
For a breach with global effect, you must look no further than taxi giant, Uber. With both drivers and customers across the globe, Uber holds an enormous amount of sensitive information. In 2017, the firm admitted that a year prior it had suffered a hack, in which 2 unnamed individuals had managed to access the records of over 55 million users (drivers and customers alike).
The breach was said not to have affected ‘core’ systems but rather data being held in a GitHub repository.
Equifax is one of the largest credit agencies in the world. When they suffered a catastrophic breach, it was quickly known that over 100 million people were likely at risk of having had their data stolen. Victims were largely in the United States, however, customers from Canada the UK and other European countries were also affected.
The Equifax breach is thought to be one of the largest of all time. The estimated number of records now stolen is more than 145 million.
Consequences of a data breach
Data breaches are serious matters and dependent on the type of breach and types of data lost can have terrible consequences. While accidentally deleting large amounts of data is a serious breach and could have huge effects internally for an organisation, it is less likely to affect a person whom the data relates to. If, however, hackers gain access to personal records such as address details and a person’s credit card number its clear to see this could be used for fraudulent activity.
Data breaches are newsworthy items, people have greater understandings of data security and what a breach could mean to them. Organisations who regularly suffer breaches often have to deal with the effects this can have on their reputation. Would you choose to be a customer of an organisation who put your personal data at risk?
A data breach can be costly for many reasons. There will be a cost associated with discovering and investigating the breach, not to mention fixing issues to ensure a breach is not repeated. However, the real costs will come in the forms of fines for non-compliance with data protection laws. Fines are not the only penalties that can be given for non-compliance, but they are some of the most common. Under some data protection laws, individuals can be criminally prosecuted for non-compliance.
Europe’s GDPR can see organisations fined up to €20,000,000 for the most serious data breaches.
Staying protected against data breaches
Best practices for protecting data against loss or breach vary across systems and environments, however, there are some fundamentals that can help any organisation to protect data. The nature of what data is being protected will also be a factor in how best to protect it.
Limit access to sensitive information
Limiting and tracking access to sensitive personal information will give greater visibility and control. Internal staff are still one of the most common reasons for a data breach such as stolen data.
Data encryption is a widely used method of protection and one that is highly effective. By encrypting data, organisations can render it useless even if cyber-criminals do manage to gain access to it.
Don’t use default passwords
Some of the most common cyber-attacks involve a stage in which hackers will attempt to gain passwords or login information to access systems. Unfortunately for unprepared organisations ‘password’ and ‘admin’ are still commonly used passwords and give hackers easy access to systems and information.
Backup all data
Data loss and accidental deletion can be some of the most serious and costly breaches due to any associated downtime. Ensuring that a full backup of all data is in place will allow for organisations to recover data quickly and efficiently and cut downtime.