South African R49 million cybersecurity pain

South Africa’s average data breach cost of R49 million has placed the country 14th among countries hardest-hit by such attacks, according to Allianz’s cyber security report for 2024.

The report noted a global increase in cyber-related claims over the past year, attributed to increased data and privacy breach incidents.

A data breach refers to the unlawful exposure of confidential and sensitive information. Attackers often obtain this information to extort their victims.

Such a breach could result from a ransomware attack, which involves encrypting the victim’s data and extorting them for a decryption key.

Although ransomware attacks and data breaches often occur together, they are distinct.

The difference between the two is the intention of the attack, with attackers aiming to steal data in a data breach and encrypt it during a ransomware attack.

“A rise in ransomware attacks, including data exfiltration, is a consequence of changing attacker tactics and the growing interdependencies between organisations sharing ever more volumes of personal records,” says Allianz Commercial’s global head of cyber claims, Michael Daum.

Allianz argues that despite a recent trend of increased investment in cybersecurity, many of the largest data exfiltration cyberattacks over the past 18 months have resulted from weak cybersecurity within organisations.

Several South African entities have suffered this fate, with both the public and private sectors falling victim to multiple data breaches in recent years and millions demanded in ransoms.

One of the most recent attacks targeted online retailer OneDayOnly.

The e-commerce platform was attacked by the hacking group Kill Security (KillSec) that reportedly demanded that OneDayOnly pay a $100,000 (R1,777,695) ransom to prevent the data from being posted online.

Based on the sample data KillSec published, the group downloaded a cache of OneDayOnly’s supplier take-on forms.

Similarly, in March 2022, a group called N4ughtysecTU claimed responsibility for a ransomware attack on credit bureau TransUnion, claiming that at least three million South African customers’ details were impacted.

A further 6 million ID numbers were exposed.

TransUnion refused to pay a ransom to prevent the data from being leaked online.

While the attackers alleged they exfiltrated 4TB of data and the records of 54 million South Africans, TransUnion disputed that this leaked Home Affairs data came from its servers.

Two years earlier, a major data breach at rival credit bureau Experian exposed the personal information of 24 million South Africans and nearly 793,749 business entities.

Several government departments have also become the victims of data breaches.

Ransomware group LockBit set 11 March 2024 as the deadline for the Government Pensions Administration Agency (GPAA) to pay its extortion demand or risk having its stolen data released on the dark web.

The attack occurred in the middle of February.

The GPAA refused to pay the ransom, and LockBit released a 668GB archive containing data it stole from the agency.

A few months later, the National Health Laboratory Service (NHLS) was the target of a ransomware attack by the BlackSuit hacking group.

BlackSuit alleged that it had stolen around 1.2 terabytes of data, including third-party, client, and patient information.

The danger of these attacks does not stop there. Whether the ransom is paid or not, sensitive information could fall into the wrong hands.

This data can range from credit card information to patient information, such as in the case of NHLS.

Consequent attacks using this stolen data often take the form of phishing or vishing attacks, where attackers use social engineering techniques to obtain sensitive information from their victims.

Vishing is the same as phishing, except the attack occurs over a voice call rather than via email or SMS.

An example of a recent phishing attack targeted South African Revenue Service (Sars) eFiling users.

The scam, sent via email, included a spoofed Sars logo and similar formatting to Sars’ notices. It warned taxpayers that they would be unable to file their 2024 return until they paid an outstanding amount.

This would allow attackers to manipulate South Africans into paying the “outstanding amount.” The more personal information attackers have on an individual, the more easily they can convince victims to fall for it.