Massive SA data breach – what should I do?

I’m sure by now most, if not all of you, have read about the massive data breach that is estimated to involve around 50 million South Africans, including deceased citizens, and several million children under the age of 18.

The data leaked includes ID numbers‚ personal income‚ age‚ employment history‚ company directorships‚ ethnicity, marital status‚ occupation‚ employer as well as prior addresses.

The event was revealed by Australia-based IT security researcher and owner of the free service Have I Been Pwned (HIBP), Troy Hunt, who said the information was published to a public-facing Web server where it could easily be found, and was a case of ‘gross incompetence’ on behalf of the server owner.

There are several ways that individuals could be affected by the breach. The first danger is that criminals could use the data to open accounts and fraudulently transact as one of the individuals who’s profile was leaked. Unfortunately, there’s enough information to make the transaction appear legit. However, I imagine they could reach a stumbling block as opening credit usually involves having to furnish a pay slip or bank statement, and a copy of your ID.

But everyone should be vigilant – it’s pretty safe to assume that the vast majority of us have had details exposed. If you are concerned, get your credit report from a credit bureau to check if any anomalous activity has taken place. If you identify anything suspicious‚ apply for Protective Registration, which will provide you with additional security and will alert the credit provider or the bank in question that your ID number has been compromised.

The protective registration can be found on the Southern African Fraud Prevention Service (SAFPS) Web site. It is free of charge.

However, perhaps a greater danger, is that this kind of personal information in the hands of cyber criminals could be used to perform highly targeted spear phishing attacks. Spear phishing is usually performed via email or other electronic communications. It is targeted at a specific individual, or business, and usually encourages the individual to click on a link which will redirect them to a malware-laden Web site that is usually cunningly crafted to appear like the genuine article, and will often defy all but the closest scrutiny.

The more the attacker knows about an individual, the easier it is for him or her to send an email that appears totally legitimate. While the majority of these attacks aim to steal data such as login credentials for various acts of malfeasance, criminals might also intend to install malware on the user’s computer, for reconnaissance of the company’s network to exfiltrate information, or as a key-logger to capture login details, or even to hijack the machine to use as part of a botnet.

Bottom line, never click on links or attachments in emails unless you are 100% certain they are the genuine article. Never, under any circumstances give out your bank account number or PIN via email or over the phone. There is no circumstance in which the bank will ask for details this way, I assure you. Remember, that after a breach of this nature, an attacker could easily lure someone by asking them information of a similar nature to the leaked data – after a few questions, they might begin to trust them.

For any of you who think you might have been affected, Hunt has a Web site where you can check your email address to see if it has been compromised. I know a few fear mongers were advising against this, and saying it could be a scam.

It isn’t. It is 100% legitimate – he has loaded 2.2 million unique email addresses from the leaked data set into HIBP. Individuals can search for their email addresses there, and it will return either a ‘yes’ or a ‘no’ as to whether the address has been leaked. It will also show on which sites it has been compromised.

The emails represent a very small portion of the leaked data, and Hunt has stated he will not make ID numbers searchable at all, as that data is sensitive and personal. He added, however, that anyone with an ID is likely to appear in the data set. Unfortunately, your ID is immutable data or data that can’t be changed, but you password can, so if you do find your email address there – check where it has been compromised, and go and change your passwords on those sites. It’s not a bad idea to change passwords on all sites that house your sensitive information on a regular basis in any case.