Personal Information - The raw material of Cybercrime
The damage that has been caused to our citizens by delays in the development and promulgation of appropriate law and the resultant failure by large processors of information in South Africa to protect clients is well illustrated by the Liberty Life hack. So too is the attitude of so many of our blue chip businesses to the protection of personal information reflected in Liberty Life’s responses to its clients and the public.
In that regard I provide a link to an article authored by me which was published in the Money section of the Business Times on the https://www.businesslive.co.za/bt/money/2018-06-23-liberty-misses-the-point-on-financial-losses-from-e-mail-hack/. While you are invited to read the article, the simple point is that Liberty Life trivialises the fact that vast volumes of clients’ information had been hacked emphasising that there had been “no financial loss”. The point that Liberty avoids is that the compromised information is precisely the information (one can only assume that much of this information could be commercially sensitive) that allows criminals insight into the financial affairs of clients enabling them to perpetrate frauds.
The conclusion is inescapable. Due directly to government’s failure to address the issue of how we need to protect personal information in the 21st century, processors of personal information, particularly some of the larger processors of personal information, have not established the appropriate security measures. The ease with which cybercriminals are able to access personal information enabling them to credibly masquerade as legitimate actors in interactions with citizens, is certainly one of the reasons that South Africa is the second most targeted cybercrime country in the world. What has happened with Liberty is not an isolated incident and many organisations are aware that their clients’ information has been compromised. Unfortunately, many of these organisations, in order to hide their own failings and in view of the fact that until the commencement of PoPIA is proclaimed they feel it is “OK” not to notify their clients of data breaches. This only serves to evidence the lack of ethical governance in the organisations that choose this approach.
As we are all data subjects, when the organisations that employ us are guilty of failing to protect personal information we should be asking "... would I be happy if my information is not processed securely and a compromise is not disclosed to me?"
©Mark Heyink 2018