Identity theft is costing South Africa a fortune and the scale of the problem is on the increase, says a research organisation.
According to Cleardata, ID theft contributed to the loss of R1bn from local companies in 2014 alone.
The Fraud Prevention Association found that there were 3 600 cases of identity theft in 2014 and the organisation predicted an increase in that number to 4 000 by the end of 2015.
“Business records containing customers’ personal information should never be put into a general waste or recycling bin where it can be accessed by criminals, as this creates a great risk for identity theft,” said Gianmarco Lorenzi, managing director of Cleardata.
Criminals are easily able to convert stolen IDs into cash by using the information to compromise security systems.
Despite the obligations of the Protection of Personal Information Act (Popi) and its mandate for companies to become more transparent when dealing with customer data, few South Africans are willing to share information on hacking attacks.
Criminals have seized on this and are taking aim at the second largest economy in Africa.
“There are no official crime stats. However, Wolfpack Risk estimates R2,5bn during the 2012/2013 financial year. Other international vendors peg the figure in South Africa at between R4bn and R5bn. Globally, the estimation is US$450bn/annum … and it’s increasing,” said Craig Rosewarne of Wolfpack Information Risk.
Wolfpack is a threat intelligence firm that specialises in understanding and predicting cyber threats.
Hackers have made big news in recent times and the Sony Pictures breach is estimated to cost the company at least $15m, not counting the cost to its reputation.
In South Africa, underwriter Candice Sutherland said around 974m company records were lost or stolen in 2014 — an estimated 31 records every second — perpetrated mainly by disgruntled employees.
She said that these stolen records amount to losses of at least R5,8bn, which can also be attributed to organisational negligence, rivals and hackers.
“Popi gives effect to a constitutional right to privacy and the unauthorised access to information regarding the educational, medical, financial, criminal or employment history of an individual as well as their personal details such as ID numbers, contact details and physical addresses is restricted by the Act,” said Sutherland, business development consultant at SHA Specialist Underwriters.
Lack of security protocols that result in an increase in personal data theft places South African companies at some risk, especially as consumers may turn to legal remedies for losses incurred.
“This steady increase in identity theft places organisations and its clients under greater risk of legal, financial and reputational repercussions and must not be taken lightly,” said Lorenzi.
Gaining entry to company servers has been shown to be simple using social engineering tricks.
“We would actually go and visit the client and we distribute USB sticks: Leave it in the bathrooms, leave it the meeting rooms; put it on the desks,” said Trustwave cybersecurity expert Leon van Aswegen.
Trustwave is often tasked with investigating whether a company’s security is up to scratch and through its Spiderlabs division, employs ethical hackers who test all aspects of cyber security.
“On the USB is a piece of code, if you open it up … people want to do the right thing. You make it look legitimate — put your pictures on there, make it look like its personal images and the person wants to return it to you because you’re going to lose your data,” said Van Aswegen of how the social engineering trick works.
“As soon as you click on a folder or anything, the script runs and you know that data is lost.” — Fin24