Who has your personal information and what can they do with it?
While a game of cat and mouse plays out with international hackers claiming to possess the personal information of millions of South Africans after breaching TransUnion’s database, and the latter refusing to pay the R222m being demanded, databases are being leaked as proof “samples”.
They reportedly include Cell C’s October 2010 database of 1.8-million subscribers, along with the names, ID numbers and cellphone numbers of ANC members from an August 2017 database.
According to MyBroadband, TransUnion has claimed that hacking incident impacted only an isolated server holding limited data.
But N4ughtySecTU has disputed this by means of “sample” posts, including President Cyril Ramaphosa and his wife’s identity numbers and Julius Malema’s ID number.
ITWeb news editor Admire Moyo was contacted by one of the hackers last Wednesday with the claim that the group had compromised personal records of up to 54-million South Africans and non-South Africans.
I am one of the 54-million victims whose personal information is in the hands of an unauthorised third party ... while all along I had a false sense of security. What are the odds that almost every South African with a credit history has been impacted as the hackers say?
— ITWeb news editor Admire Moyo
Sceptical of their claims, Moyo asked how they’d managed their audacious hack. In response the hacker reportedly said: “They left the door open. What a joke. They were using the word ‘password’ as their password.”
As proof, they told Moyo they had obtained his cellphone number from TransUnion’s database, and then sent him information about the first flat he’d rented, his cellphone number, work number, email address and ID number, as well as comprehensive details about the cars he’d owned.
“I am one of the 54-million victims whose personal information is in the hands of an unauthorised third party,” Moyo said, “while all along I had a false sense of security.
“What are the odds that almost every South African with a credit history has been impacted as the hackers say?”
The Information Regulator has instructed TransUnion to provide its office with a report detailing how it plans to notify the millions of South Africans affected by the cyberattack on its systems, and to come up with a solid security plan to prevent cybercrime.
The breach of credit bureau Experian in 2020 exposed the personal information of as many as 24-million South Africans and 793,749 business entities to a suspected fraudster, and, according to the SA Fraud Prevention Service (SAFPS), led to a massive spike in impersonation fraud.
But there is a lot consumers can do to fraud-proof themselves; to prevent the fraudsters from accessing their bank accounts or opening accounts in their name.
According to Absa Bank fraud strategist Ulrich Janse van Rensburg, to gain access to someone’s bank account a fraudster needs more than the leaked information.
To get that, they need the person’s bank passwords, one-time PIN and so on. So they target their potential victims by phone, in an attempt to trick them into believing they are calling from their bank, needing their help to prevent fraud on their account.
This week many Absa customers received an emailed letter from the bank advising them that: “Following Absa’s announcement of its isolated data leak in November 2020, and a resultant independent forensic investigation, we have now identified more compromised data and are contacting impacted customers directly.
“Unfortunately, this leak encompassed some of your personal information, including your identity and contact details.”
They were told that they might receive a phone call from Absa “to validate potentially suspicious transactions”.
So how can one tell the difference between the genuine fraud-related call and the pretending fraudster’s call?
The fraudsters ask their potential victims to reveal key numbers — the one-time PIN sent via SMS from their bank; the CVV number on the back of their credit card; their account password.
“Never approve a mobile banking application request or any other transaction request if you are not the one carrying out the transaction,” Absa warned its customers in this week’s letter. “We will never request you to approve the reversal of unauthorised debit orders, and have put in place measures to prevent and detect potential unauthorised debit orders.”
Real bank employees never ask for passwords, PINs or approvals. All they ask of their customer is to state whether a transaction is fraudulent.
They also never create a sense of panic in the customer, unlike fraudsters who know that panic reduces rational thought.
If you are unsure, end the call and call your bank’s fraud hotline.
• For extra protection, register for the SA Fraud Prevention Service Protective Registration — a free service.
Go to https://www.safps.org.za/ On the home page you’ll find a tab “Apply for Protective Registration” and have your ID book or smart card with you. The app will also capture a photo of your face.
All details are submitted to home affairs for verification.
Registration will alert credit providers to interrogate any credit application in your name, and give them the biometric tools for verification.
Dalene Deale, executive head of Secure Citizen, a providing digital solutions company working with the SAFPS, told Sunday Times Daily that on a scale of one to 10, “we are only at one” in terms of the number of South Africans who have registered to protect their identities from impersonation fraud.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.