Tag: POPI Act

Estate Agency Data Breach – Cloud Backup Solutions

A Credit Bureau, an Estate Agency, and a Web of Cybercrime Intrigue

One of the country’s most prestigious real estate companies obtaining leaked customer information from the Experian data breach reads like a work of fiction. Yet this bizarre possibility is playing out in the media right now, with all parties involved scrambling to limit the damage to their reputations.

Real Estate Agency Pam Golding has been associated with luxury real estate in South Africa for decades, with the company successfully crafting a brand centred around exclusivity and the highest standards. 

However, a recent data incident concerning the company’s contact database is shining an uncomfortable spotlight on this well-known estate agent’s network and its potentially bizarre connection to last year’s Experian data leak.

Did property giant Pam Golding obtain information from a data leak?

One of SA’s best known companies’ handling of sensitive information was publicly brought into question recently when a cybersecurity researcher noticed a strange pattern of data ownership regarding their own email address.

The researcher, who is  extremely careful when it comes to online privacy, used a catch-all email address with various aliases when entering their information online – a practice that’s worth emulating in your own personal and business dealings.

So far, there’s nothing surprising in the story –  until you find out what happened next: the individual discovered that their email address had been compromised after Pam Golding revealed that a large chunk of its database had been subject to unauthorised access earlier this year, apparently due to stolen credentials. 

  • The perplexing aspect of this incident was that the individual had never provided Pam Golding with the alias email address they usually use online.
  • On further inspection, they discovered that the realtor had also sent them a direct marketing email several months prior, once again to the same address that had never been voluntarily provided. However, the same address had been part of the Experian data breach that affected millions of customers across the country. 

The awkward question that arises from all of this is: how did Pam Golding come to possess this email address, and how many other people’s personal information does the company currently hold without their knowledge? 

As cybersecurity experts, we can think of two possible explanations for what happened: 

  1. Pam Golding somehow obtained leaked personal information from the Experian data breach last year, or 
  2. Experian provided them with this information through official – if not legitimate – means.

As a reputable and large business, which is very much a household name across South Africa and even in neighbouring markets like Mauritius, it’s hard to imagine Pam Golding skimming the dark net for opportunities to buy leaked Experian data. 

The far more likely explanation is that Experian has been sharing the personal details of credit customers from its database with third parties for a fee. As such, it’s more plausible that Experian, and not Pam Golding, has serious questions to answer regarding the protection of personal data privacy.

Are credit bureaus doing a side trade in confidential client information?

The allegation that credit bureaus sometimes sell confidential information to other businesses may be disturbing but it’s not new. Dominic White, one of the country’s foremost cybersecurity experts, has been speculating for years that this is the case. 

Without accusing either organisation of wrongdoing, it’s not a far stretch to assume that something of this nature might have happened in a case like this.

Pam Golding declines to comment, citing POPI regulations

The media has reacted with an understandable measure of alarm in the wake of the Pam Golding and Experian accusations, and to date the real estate group has been tight-lipped about the details of the incident. It must be mentioned however, that Pam Golding took immediate steps to contain the breach, acting swiftly to secure their systems and removing all unauthorised access.

In an ironic twist, Pam Golding maintains that they’re unable to comment on any aspect of their clients’ data in order to remain in compliance with the Protection of Personal Information Act. 

This, despite the fact that obtaining sensitive customer information from a third party without the owner’s permission could likely constitute a breach of the Act itself.

Whatever the outcome of this embarrassing incident may be, the lesson for all businesses is clear: consumers are no longer willing to tolerate the mishandling of their personal information, and when companies are suspected of acting irregularly, the incident is likely to become highly publicised and do damage to their reputation.

Protect your data and your business reputation today

If this incident has given you cause for thought as to the best practices to follow in your own business when handling client information, we’d like to support you in creating a comprehensive data security approach that protects not only your information, but that of your clients. 

Our range of secure cloud storage packages, particularly our Total Data Protection offering, can help ensure that all customer information is kept safe and help you comply fully with POPIA. Click the button below to learn more.

Sign Up for TDP – Today

A look at the Protection of PI Act (PoPI Act)

For a while, it looked as though South Africa would lag behind the rest of the world when it came to personal information protection laws, but suddenly, all of that has changed.

The South African Constitution declares that everyone has the right to privacy, and South Africa is now taking the use and storage of personal information seriously with laws to protect the average person on the street, as well as the high-flying business owner from a possible data breach.

President Cyril Ramaphosa has stepped up and proclaimed that certain essential sections of the POPI Act will come into effect as of 1 July 2020. The PoPI (Protection of Personal Information Act) has been sufficiently updated and while it will be effective as of 1 July, there is a 12-month grace compliance period.

What the Updated PoPI Act Means for the SA Business Owner

South African businesses will have 12 months to ensure that they make adjustments to their business operations, so that they are compliant with the PoPI Act, although it is recommended that they should attempt to comply as soon as possible. The changes to the various sections and the implementation of new sections to the Act means that you will have to take a close look at how you deal with your customer’s and employee’s personal data and information. You will need to put protective measures in place to ensure that data is never put at risk.

The updated Act seeks to ensure that businesses process personal information legally and respond to their duties and responsibilities as entities handling sensitive information.

The updated PoPI Act states that businesses should have a dedicated Information Officer (not necessarily a full-time employee of the company) to ensure business-wide compliance. Businesses that don’t comply within the lengthy time-frame given to reach compliance will be faced with hefty penalties for breaking the law.

What the Updated PoPI Act Means for the South African Consumer

Once the Act was amended, it was published that the following sections had been updated:

  • Sections 2 to 38
  • Sections 55 to 109
  • Section 111
  • Section 114 (1), (2), (3)

While all of these sections have been changed, it is largely section 5 that affects the South African consumer the most as it deals with how the information of individuals is gathered and processed. The rights expanded on in the Act mean that you as a consumer have the right to:

  • Receive notifications when your information is being collected.
  • Receive notifications if your data is intercepted or accessed by an unauthorised third party.
  • Query if a party has your personal information.
  • Request a copy of your stored or captured information from a party.
  • Request that your personal information is corrected or deleted by a party.
  • Deny the processing of your personal information in certain situations.
  • Refuse to have your personal data processed for the purpose of direct marketing.
  • Not be subject to a decision on outcomes that are only based on the information provided by an automated system.
  • Submit official complains to regulators pertaining to non-compliance of the Act.
  • Action civil proceedings against parties that interfere with the protection of your personal information.

Whether you are a business owner or a consumer in South Africa, the amended PoPI Act has been designed to protect your rights as well as personal data. By working together (and that means being compliant with the updated Act), data in South Africa can be handled safely and securely.

If you want to start getting your business compliant with the new PoPI Act, you can start by signing up for a data encrypted online backup service. Ensuring that the sensitive data on your business devices is kept safe and sound is a step in the right direction.