Data Breaches in South Africa: What You Need To Know (Updated 2021)
The impact of a data breach can be devastating.
According to research by IBM Security, the average cost of a data breach in South Africa has grown to R46 million in 2021. Added to that is the immeasurable loss to business reputation and shareholder confidence.
Regardless of what your company does or the size of your business, anyone can fall victim. Knowing the cause, impact, and response to past data breaches can help businesses protect their own data (and bottom-line) by learning to avoid the same pitfalls and mistakes.
In this article, we explore some of the most infamous data breaches to hit South Africa in recent years:
SA Department of Justice and Constitutional Development (September 2021)
A ransomware attack at the Department of Justice and Constitutional Development (DOJ&CD) potentially breached over 1,200 confidential files containing personal information.
The data included full names, banking information, and contact details of those who used services of the DOJ&CD. The Department warned users to be alert regarding the possibility of unauthorized transactions on their bank account and identity theft.
Notably, the cyberattack also delayed child maintenance payments and other critical systems. Despite media reports to the contrary, the Department stated that they did not receive a ransom demand.
Transnet (July 2021)
Transnet, the state-owned freight corporation, fell victim to a cyberattack that crippled IT systems and impacted operations on the ground, including the processing of cargo imports and exports.
The company declared force majeure and halted most operations at container terminals in Port Elizabeth, Ngqura, Durban, and Cape Town. Transnet Freight Rail and trucking divisions were impacted by knock-on effects.
According to cybersecurity experts, Transnet was likely infected with “Death Kitty” ransomware, which is often linked to hacker groups from Eastern Europe.
Transnet did not pay the ransom demand. Instead, the company activated business continuity and disaster recovery plans. This included manual backups, records, and processing measures. Within two weeks, most operations and ICT systems were gradually returned to normal.
Experian South Africa (August 2020)
Sensitive information on 24 million South Africans and almost 800 000 local businesses were leaked following a data breach at credit bureau Experian South Africa.
Experian provided the data to a fraudster who used social engineering tactics to masquerade as an existing client.
The data featured a wide range of personal attribute such as ID numbers, physical addresses, contact details, occupation, and job history. But notably, unlike many other major South African data breaches, business data was also leaked. This included company turnover values, business registration, credit, and financial information.
The suspected fraudster was arrested. However, the breached data was already made available online for free download.
ViewFines (May 2018)
Almost one million personal records were leaked after a data breach at ViewFines, a South African service that allowed registered users to view their traffic fines online. The leaked data included email addresses, names, phone numbers, and passwords.
This data breach in South Africa occurred during server maintenance at ViewFines, when the company used a web server to store backup files. Because the server was public, the data was openly accessible over the internet. It was during this 12-hour period that the data was downloaded by a third party, and later uploaded publicly.
ViewFines reacted by suspending their service and warning users about the breach via email.
Master Deeds (October 2017)
As of October 2021, Master Deeds marks the largest data breach in South African history with 60 million unique records exposed. The data belonged to a real estate company, Jigsaw Holdings, who allegedly used the data for finding potential clients.
The data featured personal, financial, and property ownership information. Along with names, ID numbers, and contact details, it included estimated income values, title deed numbers, bond amounts, property sale prices, company directorships held, and more
Affected individuals even included Former President Jacob Zuma and Ministers of Parliament. And shockingly, 29% of the 60 million records belonged to children and teenagers, citing their ID Numbers, deceased status, and gender.
The data was exposed on a public webserver (much like the ViewFines data breach). However, there is no clear indication on how long the data was publicly accessible. An investigation by cybersecurity expert Troy Hunt puts the exposed timeline between 7 months to 2.5 years, or even longer.
Ster-Kinekor (March 2017)
The Ster-Kinekor cinema franchise suffered a data breach due to multiple security holes in their website. The vulnerability allowed access to up to seven million customer account details, including names, emails, gender, and passwords.
It is not known whether the data was exploited before the company rectified the vulnerability.
eThekwini Municipality (September 2016)
The accounts of 98,000 users were exposed by a vulnerability in the eThekwini Municipality e-services system, allowing anyone to view residents’ personal information and municipal bills.
This South African data breach featured ID Numbers, physical addresses, passwords, and cell phone numbers. As such, phishing attacks were reported soon after, along with serious concerns over identity theft.
eThekwini Municipality did not take action after the data breach was reported to them directly. Only after the issue gained public attention on Twitter, did the Municipality react by taking their e-services offline.
Concerned About Data Breaches and Your South African Business?
We’re here to help.
Established in 2008, iSite Computers is a specialist Managed IT Services Provider. Our expert-led cybersecurity team helps small to medium-sized businesses proactively prevent, monitor, and mitigate data breach threats across their organization. Start the conversation with us today to learn more.