Two years ago, another credit bureau, Experian, had a data breach relating to 24 million consumers. The South African Fraud Prevention Service (SAFPS) reported that, in the year after the Experian breach, it saw a massive jump in fraud across the country. Chief executive of SAFPS, Manie van Schalkwyk, said fraud listings increased by 62%, victim listings increased by 54% and impersonation fraud tripled, rising 337%.
Less than six months ago, the Information Regulator raised the alarm that personal information accessed via the Experian data breach was being circulated on messaging app Telegram. Experian advised that it had asked its lawyers to request that the mobile operator suspend the cellphone account of the user who made the data publicly accessible, but told the regulator the user’s identity was unknown.
At the time, the chairperson of the Information Regulator, Pansy Tlakula, said: “Given the massive amount of data that was illegally obtained from Experian in 2020, and the evidence that this data remains in various platforms, contrary to assurances that had been given to us, it is clear that we have not seen the last incident of this type of exposure of people’s personal information.”
Although a hacking group claimed to have accessed the personal information of 54 million South Africans, TransUnion maintained that this was related to a previous data breach at the Department of Home Affairs. Last week’s breach “impacted an isolated server holding limited data in South Africa”.
TransUnion said fields of information that may have be affected included names, ID numbers, dates of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and even vehicle identification numbers.
“In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each data subject may have a combination of different fields impacted, depending on what data was available,” stated the TransUnion website.
TransUnion is now offering a year’s subscription to its identity protection package, TrueIdentity, to affected consumers.
South Africa has a Cybercrimes Act, which came into effect on 1 December 2021. Although TransUnion dodged a R50,000 fine by reporting the cybercrime within 72 hours, it may still be liable for a fine of up to R10-million under the Protection of Personal Information Act, for failing to adequately protect consumer data.
Van Schalkwyk said the personal information accessed was likely used in one of two ways. The first would be a phishing scam in which the criminals pretend to be from a financial institution. Phishing mails usually contain links to a website that looks like that of your bank. You are then prompted to log in to your online banking.
Once logged in, you have given the phishers your log-in and online banking password. Banks maintain that you have compromised your banking information and you are held financially responsible.
The second would be to impersonate you, known as identity theft. Using your personal details, the criminal applies for credit and racks up bills in your name. Again, you are held liable for this debt unless you can prove that it was not you.
How to know if you are affected
If you have incurred debt – from a personal, car or home loan, credit cards or a hire purchase agreement to buy furniture or tech, your details will be on file with the credit bureaus. TransUnion says it will be contacting affected consumers. You can be pre-emptive and contact South Africa’s four credit bureaus: TransUnion, Experian, Compuscan and XDS to check your credit profile.
Van Schalkwyk says the SAFPS offers a free service called Protection Registration, which offers a second layer of protection.
Scams to watch out for
Giuseppe Virgillito, FNB head of digital banking, said that typical scams to watch out for included:
Lost/stolen device: You receive a message to “help” locate your recently stolen device. The fraudster claims that, by clicking on the embedded link, you can locate the device. If your device is lost or stolen, delink your device from your banking app, block your banking profile and contact your bank.
Remote access: Be wary of random requests to install software on personal or business devices. This tactic can be used to install malicious software to access your banking profiles. If you suspect you are a victim, block your profile immediately and contact your bank.
SIM swap: A SIM swap occurs when a fraudster transfers your phone number to another service provider to control your SMS notifications. They then control notifications such as a one-time PIN (OTP) to commit fraud. Use services like FNB’s Smart InContact and never share your OTP.
SMS scam: Fraudsters claim that someone is trying to make a fraudulent transaction on your account. They send an SMS to share your banking credentials to deactivate your online or app banking profile. Even when doing transaction reversals, banks will never ask you to share your banking credentials such as your log-in details or PIN.
Social engineering: This includes malicious attempts deployed through human interaction to manipulate and trick people into making security mistakes or giving away sensitive information by working on their emotions. Some include vishing and phishing.
Vishing: Fraudsters pose as employees of a financial institution and try to persuade you to share your personal and banking information telephonically. A reputable financial services provider will never ask you to share this telephonically or via other channels. End the call immediately.
Phishing: Fraudsters send a link that directs you to a fake website where you enter your financial or personal information. If you must, visit a financial institution or a service provider’s website, type their web address into the URL rather than clicking on links.
Social media scams: Offers of low interest rate loans or crypto investment opportunities with high returns on social media are becoming quite common. Use reputable service providers and be wary of unsolicited offers. DM168
This story first appeared in our weekly Daily Maverick 168 newspaper which is available for R25 at Pick n Pay, Exclusive Books and airport bookstores. For your nearest stockist, please click here.