NWU stalwart Prof Lynette Drevin talks about Experian data breach
“Everybody should be cautious when they get unsolicited emails or telephone calls. Do not give out any sensitive information and be cautious of what is called ‘social engineering’ attacks. People who have certain soft skills and try to pose as a person with authority, persuading the individual being contacted to divulge personal information, can be seen as social engineers. This can lead to identity theft using your personal and sensitive information to the attacker’s advantage.”
This is the view of Prof Lynette Drevin, associate professor and subject chair at the School of Computer Science and Information Systems at the North-West University (NWU).
Prof Drevin specialises in information security awareness and in research in the field of information systems failures. She developed an Information Security module for honours students many years ago, while also developing an undergraduate module that focuses on information security, specifically because the NWU did not have such a module.
In the Experian case, a fraudster who impersonated a legitimate client of Experian – a multinational consumer credit reporting company – acquired information on about 24 million people and data on about 800 000 businesses.
According to Prof Drevin, the chief executive of Experian stated that they used legal means to identify the fraudster and confiscated the hardware that had been used in this attack. The misappropriated data was secured and deleted. He also confirmed that no consumers’ financial information had been obtained. The reason why the imposter obtained the data was to use it for their own marketing benefit (to get leads).
What you need to know
“All clients should be vigilant, as no one can be sure that this breach was fully contained, and in these types of attacks, other means may have been used to duplicate data and store it remotely in the cloud.
“Certain banks have issued warnings to their customers that the leaked information may be used to scam them,” Prof Drevin adds.
She also explains that the incidence of cybercrime is very high in South Africa and therefore consumers should be extra careful when giving out personal or sensitive information – be it on a website or email, by clicking on a web link, or when somebody is asking for it.
“Handle identity details with the same care as cash. If it gets into the attackers’ hands, you can be impersonated.”
In the case of Experian, it was not the fault of the clients that this breach happened, but that of the business. There must be proper controls in place to keep their clients’ data safe and there are legal measures to adhere to, for instance certain sections of the Protection of Personal Information Act (POPIA), which came into full effect from July this year. Businesses have been given 12 months to get all their processes in order to comply with this Act.
Prof Drevin’s passion lies in information security education and raising awareness about the subject because there are numerous scams and threats in cyberspace. She shares some tips to prevent phishing attacks and identity theft.
- Always be aware of the address of the sender of an email, the subject and the content. Very often small things can show if it is not a legitimate email, e.g. small deviations in the sender’s email address, you are not addressed by your name but as “dear customer”, etc.
- Be cautious of the attachments sent, e.g. never open an HTML-format attachment.
- Do not click on strange/unknown web links.
- Do not trust unknown senders of emails.
- Do not fall for money scams – you did not inherit money from a distant relative in England or Nigeria, nor did you win a prize for a competition that you did not enter.
- SARS/banks/other institutions will not ask you to confirm your eFiling/login details in an email – even when you need to get a refund. There is a legitimate process to handle this.
- Think before submitting sensitive information on the web or via a link, or when sending messages (on your computer or your phone). Think about what the receiver might be doing with your information when combining chunks of identity data.
- Cyber attackers can use the data they have harvested from a person to access your accounts, reset passwords, etc. They can also create a “fake” identity that looks as if it were you by using your own identity credentials (sensitive information retrieved from your reaction to social engineering and phishing attacks).
- Use anti-malware and anti-virus software on your computer.
- Filter emails to direct spam emails to your spam folder.
- Use strong passwords on websites and do not use the same one on many websites.
- Do not share login details with others.
- Attacks can come from inside or outside the company – be vigilant whom you trust with sensitive information.
- Ensure you read about these cybersecurity issues to become more aware of these types of threats – and be aware of what is going on around us at the present time.
- The human being is the strongest – or the weakest – link in cybersecurity.
The ongoing saga
New evidence came to light early in September 2020 that the information that had been unlawfully obtained by the fraudster in the Experian case had indeed surfaced on the internet, which implies that there can be potential misuse of the data in the hands of corrupt actors.