South Africans should be prepared for an onslaught of new phishing and social engineering attacks following the leak of more than 30-million e-mail addresses and other details earlier this week.
“While it’s unclear at this point how the information was obtained, South African organisations need to brace themselves for supercharged impersonation fraud attacks,” says Brian Pinnock, cybersecurity expert at Mimecast.
“This is social engineering on another level as half of the work is already done for potential hackers. They now have access to email addresses, mobile numbers and even ID numbers, marital status, employer information and income.
“Fraudsters can now target their victim by knowing the most sensitive information that only your most trusted service providers or family would know.”
Pinnock cautions users to be on their guard against malicious e-mails. “All email users should know the signs of a targeted email threat: is the email address legitimate, does the URL in an email or attachment take you to the correct site, is the language typical of the sender?
“Of course, the signs might not always be easy to spot so all organisations should consider advanced security with targeted threat protection. This will radically decrease the possibility of malicious emails getting through.”
The best defence, he adds is to ensure that they circumvent the possibility of compromised passwords.
“Everyone should consider changing all of their passwords and ensure that they don’t re-use these across online services,” Pinnock says. “It is vital to have unique passwords because as soon one has been stolen, no channel is safe.
“Having the most sensitive information of more than half of South Africa’s population hacked and leaked on the internet, is a clear indication that having an effective a cyber-resilience strategy is no longer up for debate.”
The data breach itself appears to have been as a result of a company not taking information security and the confidentiality of its clients seriously, according to a statement from ESET.
“The industry is in the throes of dealing with commentary on the regulations released by the Information Regulator for public comment which has a deadline of 7 November – and we again have a situation where companies are not heeding the call to tighten up their controls on information systems,” the company states.
“News that records relating to citizens that goes as far back as the 1990s beggars the question of why and how? ‘Apparently, an insecure web server was the culprit in this instance.
“With POPI being top of mind, it is imperative that companies begin to take the security of client’s confidential information seriously, because there will soon be punitive measures available to affected data subjects that will allow them to take the reckless organisations to task for not implementing the necessary technological as well as organisational controls required under POPI.”