This is the largest settlement ever paid for a data breach. Credit reporting agency Equifax has agreed to pay more than R10-billion to regulators to settle claims from a data breach that exposed the personal information of almost 150 million people.
According to Risk Based Security research, the first six months of 2019 saw more than 3800 publicly disclosed breaches exposing an incredible 4.1-billion compromised records. Remarkably, about 3.2-billion of these records were exposed by eight breaches.
The report states that the exposed data contained email addresses in 70% of breaches and passwords in 65% of these breaches.
Xperien CEO Wale Arewa says South Africa is experiencing a disturbingly high number of data breaches. “Liberty Life is still SA’s biggest breach yet, the personal details of more than 30 million people were leaked online.”
“The regulator must, as a matter of urgency, enforce stricter security measures to prevent data breaches. It must also hold companies that neglect to implement security measures to account under the Protection of Personal Information Act (PoPIA) and the General Data Protection Regulations (GDPR),” he stresses.
These data security laws mandate that companies implement adequate safeguards to ensure the protection of company and personal information, especially when it comes to IT asset disposition.
He warns that a data breach could have enormous financial implications and could possibly cripple any business. "If found guilty, businesses will certainly face civil claims, huge fines and the reputational damage could be detrimental."
With increased regulatory compliance and new legislations being introduced globally, companies are in for a rough ride and the consequences for data breaches are severe.
It is critical that IT Asset Managers can account for all IT assets within the company. They need to know exactly how many devices (laptops, PCs, tablets, mobile phones or fax machines) the company owns, who has access to them and where they are located.
“In a fast paced and ever evolving IT environment, business leaders need to recognise new methods for data protection, not only on all working devices but on retired IT assets as well. They also need to know what software is installed on each device and whether there is data encryption installed,” he adds.
There is a huge increase in the number of devices entering businesses today, it is not uncommon to suffer a security breach on a device that is not even recorded on the asset register.
There are serious security issues associated with 'BYOD' - the company does not own these devices but they are nonetheless liable if these devices are allowed to access company information.
In order to comply, businesses will have to implement proper security processes and train the relevant staff. In many cases, technology will be used to automate many of these processes to secure data.
Furthermore, many security breaches are internal, either deliberate or through plain negligence. By implementing a software usage tracking and analysis tool, one can identify culprits and in some instances, enable preventative measures.
Arewa says all devices need to be encrypted including portable media and mobile phones. “This will ensure that all information is protected if the device is lost or stolen. A managed encryption service is quick and easy to deploy and provides data security in the event of a security breach.”
Very few companies understand the protection of personal information when disposing of redundant IT assets. They need to realise that by retiring technology assets wisely, they can offset the cost of a secure IT asset disposition programme. Rather find a third-party specialist with deep experience in secure IT asset disposition.
“Securing sensitive data is a daunting task for any business. Data security laws mandate that companies implement adequate safeguards to ensure privacy protection of individuals and the penalties for data breaches are tough," he concludes.