So, you thought you were you? You aren’t. You’re him. And her. And the guy who bought that new Xbox you never used.
Towards the end of 2017, Troy Hunter, well-known security researcher and the creator of Have I Been Pwned, discovered that the personal details of more than 75 million South Africans had been leaked to the internet. This massive database came from the web server of a company called Jigsaw Holdings, and within it lay the ID numbers, contact details, addresses, and income estimates of every single one of these 75 million people.
He found the identity thief’s equivalent of an oasis in the desert.
Here lay the keys to unlocking the private lives of millions of South Africans, with an impact that is far more wide-reaching than just a few credit cards opened or an unexpected purchase of a fridge in India (this happened). It can destroy careers and credit ratings, damage the business and leave the victim a bloodied mess that nobody is prepared to help them clean up.
“Hackers can use your data to open new lines of credit in your name,” says Brennan Wright, of ThisIsMe. “They can purchase new cars, go on shopping sprees and even buy a new home. Your data can be used to receive tax claims on your behalf. Your credit profile could be damaged and your medical details used to access prescriptions. And the big costs in time and money to untangle your identity and credit profile will be yours.”
What makes things worse – yes, they can get worse – is that identity theft can be defined as a silent crime. It can go undetected for months or years and the victims have no idea that enormous debts are being run up in their name. Often, the victim only discovers the full depth of the disaster when they start receiving letters of demand.
“The figures are staggering,” says Marius Coetzee, CEO, Ideco. “We heard from the minister of Justice and Correctional Services, Adv. Michael Masutha, that within government alone, the fraud figures being talked about are in the order of R1.5 trillion per annum. EFT fraud alone totals around R400 million per annum.”
The silent theft
It will also impact on the victim’s career and the company they work for. As callous as this may sound, the organisation has to be as aware of its own security protocols to prevent data theft as it has to be aware of potential loss of data through an employee’s identity theft.
“When a key individual within a business is hacked, or sensitive data exposed, there is crossover between the business and the person,” says Wright. “Identity theft of a senior executive can have far-reaching consequences for the business as well as the executive. Access to accounts, information and people make this a seriously dangerous crossover.”
Let’s not forget the loss in productivity. Employees are so busy sorting out their mess that they aren’t giving their jobs 100%, understandably so. This means it’s time for everyone to step up, pay attention and put some protections in place, just in case.
“Start off by avoiding accessing sensitive information on a public WiFi network,” says Garnet Jensen, senior director for TransUnion. “Accessing personal data on public WiFi is an easy route for the cyber thief – never check your bank account or other sites with sensitive information while on one of these.”
Also, do yourself a favour and visit Have I Been Pwned and enter your information into the search bar. Troy Hunter’s site will likely show you instantly if your email address has been compromised in any specific breach or attack. Do the same for all email accounts, including business ones. Consider registering with a credit bureau, so that if anyone checks on your identity, you will be instantly alerted; you can then let them know that you’ve not applied for credit and the call is fraudulent.
“You can also register for updates on your credit profile, which, as the CEO or business owner, is an essential step,” says Frank Knight, CEO of Debtsource.
“Companies and individuals can also be more careful with online passwords, ensure proper malware protection, dispose of sensitive documents more carefully and train staff to know what to look out for.”
Ultimately, it really does pay to be far more cautious than most people tend to be. At the end of 2017, SplashData released their 100 Worst Passwords of 2017 and the most common password still in use on most devices is…123456, followed by ‘password’. In 16th spot, was ‘starwars’ followed by ‘dragon’, which reveals exactly which television shows were the most popular in 2017.
“Don’t write down PINs and passwords and avoid obvious choices,” says Kalyani Pillay, CEO of the South African Banking Risk Information Centre. “Use strong passwords for all your accounts, don’t carry personal information around with you, and remember that if you lose, your company also loses. It’s also vital that the organisation be aware of how this level of theft can impact on vendors and invoicing and must ensure it is always certain of the identity of the person the business is dealing with.”
If your identity has been stolen, your first step, according to Garnet Jensen, senior director for TransUnion, is to report the incident to the South African Fraud Prevention Service. Call their helpline on 0860 101 248 or visit http://www.safps.org.za.
Then alert your bank or credit provider, open a case with the SAPS and log a dispute with the Credit Bureau.
Greg Sarrail, VP of Global Sales, HID Global, suggests you send a registered letter to formally contact any creditors you are aware of to let them know what has happened.
For Wynand Smit, CEO of Inovo, you can check and see if someone is using a duplicate ID number by visiting https://www.gov.za/services/check-online-duplicate-id, also check your marital status as this is commonly used to arrange bogus marriages by going to http://www.dha.gov.za/index.php/minister-of-home-affairs/28-track-trace/78-track-trace-your-status.
This article was originally published in Brainstorm on 1 March 2018.