Times Select 15 October 2019
The personal details of thousands of SA home loan applicants may have been exposed to a breach – but the financial technology company involved insists “security vulnerabilities have already been patched”.
On Monday, SA tech website Mybroadband reported that security vulnerabilities had been discovered in systems used by the country’s banks, which expose the personal data of those applying for home loans.
These systems contain information on identity documents, home loan applications and property valuations.
The flaws, according to Mybroadband, were in systems which financial technology company e4 Strategic develops and maintains for banks.
Lawyers use e4’s systems to register and cancel home loans.
Mybroadband reported that home loan applications dating back to 2010 could have been affected.
Ryan Barlow, e4’s chief information officer, said in a statement: “We can categorically state that the security vulnerabilities have already been patched.
“To the best of our knowledge there has been no unauthorised access to our data or the data that we store on behalf of our clients.”
He said the company took information security seriously and conducted routine security checks on all of its systems.
“As part of these checks, security issues are brought to our attention and dealt with appropriately. E4 has an information security officer to ensure information security and data privacy are dealt with as an utmost priority.
“We also have external security consultants that ensure that we comply with the most stringent security controls, which are becoming more of a requirement, in particular with regards to our major banking clients.
“An Information Security Steering Committee has also been running for a number of years to track security threats on an ongoing basis. We are regularly audited from a security perspective by our major banking clients and are subject to information security audits from our group external auditors.”
Standard Bank spokesperson Ross Linstrom said the bank had been in contact with e4.
“We have asked for an update regarding the veracity of the claims. Standard Bank takes the security and privacy of its customers extremely seriously and is investigating the claims.”
Carli Cooke, Absa spokesperson, said e4 had assured them there had been no security or data breach with regards to customer information related to the bank’s home loan applications.
“We have, however, noted the media article and have requested a full report from the supplier. We take customer data protection seriously and we are looking into the allegations with urgency.”
Nedbank’s spokesperson, Kedibone Molopyane, said they had been assured “that at this stage there is no evidence of an external data breach based”.
“The company will continue its investigation into the allegations and will finalise a provisional report in due course.”
Cyber security expert Craig Rosewarne, director of Wolfpack Information Risk, said that strategically SA was very vulnerable.
“Weekly we receive reports of people and businesses which have fallen victim to cyber attacks. They report it to the authorities but there is no action.
“That’s because, while on paper we have brilliant legislation and policies, such as the Protection of Personal Information Act, to protect people’s personal information, there is no proper implementation or enforcement to ensure people’s information is actually protected.”
He said companies, especially those working in financial services, only tended to act because they were governed by “heavy regulations which carry the risk of huge fines and reputational damage”.
Rosewarne said those carrying out attacks didn’t just target people or businesses for money.
“Information, especially personal information, is incredibly valuable and can be used for extortion purposes.”
He said that because of the attacks there was an increase in the number of system suppliers being forced to take out cyber risk insurance policies, which cover businesses for losses from hacks.
“This forces firms to undergo audits of their systems to ensure that they are compliant when it comes to cyber security.”
* To check if your data has been breached, go to https://haveibeenpwned.com
SA cyber attacks
- July 2019: Civil Aviation Authority allegedly infiltrated in a suspected cyber attack;
- July 2019: SA Social Security Agency’s website defaced in a hack;
- July 2019: City Power’s networks attacked with a virus loaded onto systems which left prepaid users unable to buy or load electricity;
- June 2018: Liberty Holdings’ IT systems breached, with customers’ financial details stolen;
- June 2016: A Standard Bank SA computer system is hacked and nearly R300m stolen by people using forged Standard Bank credit cards to withdraw money from 1,400 ATMs in Japan.