Wednesday, November 20African Digital Business Magazine

Data breaches and their fallout for South African enterprises and consumers

Data breaches are a chronic and growing menace for South African enterprises and consumers. Interconnected systems mean data breaches have become widespread threats, affecting millions. As businesses transition to digital platforms to improve efficiency and customer experience, Carey van Vlaanderen, CEO of ESET Southern Africasays they inadvertently create more entry points for cybercriminals.

Information Regulator chairperson advocate Pansy Tlakula says the organisation receives more than 150 data breach notifications a month. That’s compared to 2023 when Tlakula revealed that the country suffered about 56 data breaches a month. This surge is partly blamed on the over-processing of personal information and a general complacency towards cybersecurity among South Africans. Notable breaches include the TransUnion hack in 2022, where cybercriminal group N4ughtySecTU demanded a $15 million ransom after compromising 54 million personal records, including those of President Cyril Ramaphosa.

Globally, the infamous 2015 breach of Ashley Madison, a dating site for people seeking adulterous affairs, exposed the personal details of over 30 million users, leading to widespread embarrassment and, in some cases, extortion, suicide, and divorce. In the recent Netflix documentary ‘Sex, Lies & Scandal’, Ashley Madison admitted to charging registered users to delete their full profiles, but never actually did. The company was not cyber-secure but also never deleted any user information. In addition, its promise of security, anonymity and safety was false, leaving every registered user completely exposed when the database was leaked and vulnerable to further targeting.

The economic impact of such cybercrime is profound, with the Council for Scientific and Industrial Research estimating annual financial losses of up to R2.2 billion. The severe consequences of such breaches range from financial losses to significant reputational damage.

Consequences of Data Breaches

For Businesses

  • Financial Impact: The financial repercussions of data breaches are often staggering. Businesses face direct costs such as fines imposed by regulatory bodies, legal fees associated with litigation, and expenses related to remediation efforts. For example, Equifax’s 2017 data breach, which exposed the personal information of 147 million people, resulted in a $575 million settlement with the Federal Trade Commission. Indirect costs are equally significant. These include loss of business due to damaged reputation and customer trust. Studies show that businesses can lose up to 20% of their customers following a data breach, leading to substantial revenue declines.
  • Operational Impact: Data breaches disrupt business operations, often requiring immediate and extensive responses to contain the breach and mitigate damage. This disruption can affect service delivery, leading to customer dissatisfaction and further reputational harm. Long-term, businesses may need to shift strategic priorities, investing heavily in cybersecurity measures to prevent future incidents.
  • Regulatory and Legal Impact: Businesses must navigate complex regulatory landscapes post-breach. Compliance issues and regulatory penalties are common, as seen in the case of British Airways, which faced a £20 million fine for a 2018 data breach under the General Data Protection Regulation (GDPR). Additionally, businesses may face legal liabilities, including class-action lawsuits from affected customers.

For Consumers

  • Financial Loss: Consumers often bear the brunt of data breaches through direct financial losses. Cybercriminals can siphon money from bank accounts and make unauthorised charges on credit cards. Victims may also incur costs related to credit monitoring and restoration services to protect against further fraud.
  • Privacy Invasion: Data breaches expose sensitive personal information, such as ID numbers, addresses, and medical records. This exposure can lead to long-term issues like identity theft, where criminals use stolen information to open fraudulent accounts or commit other crimes in the victim’s name.
  • Emotional and Psychological Impact: The emotional toll of a data breach can be profound. Victims often experience stress and anxiety from the loss of control over their personal information. Trust issues with digital services can develop, leading to reluctance in using online platforms for transactions or communications.

Take Proactive Steps

To protect themselves, businesses should use firewalls, encryption, and ensure that all software is up-to-date and patched against known vulnerabilities. Conduct regular security audits and penetration testing to identify and fix weaknesses in systems. Additionally, educating employees on cybersecurity best practices and how to recognise phishing attempts and other common attack vectors can significantly enhance your organisation’s security posture.

Consumers can also take steps to protect themselves from data breaches. Using strong, unique passwords and enabling two-factor authentication (2FA) wherever possible adds an extra layer of security to your accounts. Be cautious with emails and links, avoiding clicking on suspicious links or downloading attachments from unknown sources to prevent phishing attacks. Regularly monitoring financial statements and credit reports for any unauthorized transactions or activities is also important for early detection and response to potential breaches.

But what if it’s already happened?

In the event of a data breach, businesses should take immediate action to contain the breach and assess the extent of the damage. Identifying compromised systems and data is crucial to prevent further unauthorised access. Develop a clear communication strategy to notify affected parties and stakeholders transparently and promptly, helping manage reputational damage and maintain customer trust. Implement long-term measures to improve security protocols, invest in employee training, and conduct regular security audits and updates to security systems to prevent future breaches.

Consumers affected by a data breach should take steps to protect their personal information. Monitor bank and credit card accounts for unusual activity and change passwords immediately, using strong, unique passwords for different accounts. Engage with credit bureaus to place fraud alerts and freeze credit to prevent unauthorised accounts from being opened in your name. Seek professional help by utilising identity theft protection services to monitor and mitigate the impact of the breach on your personal information.

Advocate Tlakula’s remarks underscore the urgent need for enhanced cybersecurity measures and greater awareness among both enterprises and individuals. Take action today.