Data breaches are chronic and a growing menace for South African enterprises and consumers. Interconnected systems mean data breaches have become widespread threats affecting millions. As businesses transition to digital platforms to improve efficiency and customer experience, Carey van Vlaanderen, CEO of ESET Southern Africa, says this inadvertently creates more entry points for cybercriminals.
Information Regulator chairperson advocate Pansy Tlakula says the organisation receives more than 150 data breach notifications a month. In 2023, Tlakula revealed that the country suffered about 56 data breaches a month. This surge is partly blamed on the over-processing of personal information and a general complacency towards cybersecurity among South Africans. Notable breaches include the TransUnion hack in 2022 when cybercriminal group N4ughtySecTU demanded a US$15 million ransom after compromising 54 million personal records, including those of President Cyril Ramaphosa.
Globally, the infamous 2015 breach of Ashley Madison, a dating site for people seeking adulterous affairs, exposed the personal details of over 30 million users, leading to widespread embarrassment and, in some cases, extortion, suicide and divorce. In the recent Netflix documentary Sex, Lies & Scandal, Ashley Madison admitted to charging registered users to delete their full profiles. The company was not cybersecure but also never deleted any user information. In addition, its promise of security, anonymity and safety was false, leaving every registered user completely exposed when the database leaked and was vulnerable to further targeting.
The economic impact of such cybercrime is profound. The Council for Scientific and Industrial Research estimates annual financial losses of up to R2,2 billion. Additional severe consequences of such breaches include significant reputational damage.
Consequences of data breaches include:
- Financial impact: The financial repercussions of data breaches are often staggering. Businesses face direct costs such as fines imposed by regulatory bodies, legal fees associated with litigation and expenses related to remediation efforts. For example, Equifax’s 2017 data breach, which exposed the personal information of 147 million people, resulted in a US$575 million settlement with the Federal Trade Commission. Indirect costs are equally significant including loss of business due to damaged reputation and customer trust. Studies show that businesses can lose up to 20% of their customers following a data breach, leading to substantial revenue declines.
- Operational impact: Data breaches disrupt business operations often requiring immediate and extensive responses to contain the breach and mitigate damage. This disruption can affect service delivery, leading to customer dissatisfaction and further reputational harm. Over the long term, businesses may need to shift strategic priorities, investing heavily in cybersecurity measures to prevent future incidents.
- Regulatory and legal impact: Businesses must navigate complex regulatory landscapes post-breach. Compliance issues and regulatory penalties are common as in the case of British Airways, which faced a £20 million fine for a 2018 data breach under the General Data Protection Regulation. Additionally, businesses may face legal liabilities including class-action lawsuits from affected customers.
For consumers, this includes:
- Financial loss: Consumers often bear the brunt of data breaches through direct financial losses. Cybercriminals can siphon money from bank accounts and make unauthorised charges on credit cards. Victims may also incur costs related to credit monitoring and restoration services to protect against further fraud.
- Privacy invasion: Data breaches expose sensitive personal information such as ID numbers, addresses and medical records. This exposure can lead to long-term issues like identity theft when criminals use stolen information to open fraudulent accounts or commit other crimes in the victim's name.
- Emotional and psychological impact: The emotional toll of a data breach can be profound. Victims often experience stress and anxiety from the loss of control over their personal information. Trust issues with digital services can develop, leading to reluctance to use online platforms for transactions or communications.
Take proactive steps
For protection, businesses should use firewalls and encryption and ensure that all software is up to date and patched against known vulnerabilities. Regular security audits and penetration testing also identify and fix weaknesses in systems. Additionally, educating employees about cybersecurity best practices and how to recognise phishing attempts and other common attack vectors can significantly enhance an organisation's security posture.
Consumers can also use strong, unique passwords and enable two-factor authentication wherever possible to add an extra layer of security to accounts. It is also crucial to be cautious with emails and links – avoiding clicking on suspicious links or downloading attachments from unknown sources prevents phishing attacks. Regularly monitoring financial statements and credit reports for any unauthorised transactions or activities is also important for early detection and response to potential breaches.
What if it’s already happened?
In the event of a data breach, businesses should take immediate action to contain the breach and assess the extent of the damage. Identifying compromised systems and data is crucial to prevent further unauthorised access. A clear communication strategy should notify affected parties and stakeholders transparently and promptly, which helps manage reputational damage and maintain customer trust. Implementing long-term measures to improve security protocols, investing in employee training and conducting regular security audits and updates of security systems will prevent future breaches.
Consumers affected by a data breach should take steps to protect their personal information. This includes monitoring bank and credit card accounts for unusual activity and changing passwords immediately. Strong, unique passwords should be used for different accounts. Credit bureaus should also have fraud alerts and freeze credit to prevent opening of unauthorised accounts. Professional help is available through identity theft protection services that monitor and mitigate the impact of breaches on personal information.
Advocate Tlakula's remarks underscore the urgent need for enhanced cybersecurity measures and greater awareness among enterprises and individuals who should take action today.