Ten million rand fine or jail for ten years

October 2013 Access Control & Identity Management

Due to come into law later this year, the Protection of Personal Information Bill – often referred to as PoPI – will dictate how South African organisations handle personal information, or PI. From the perspective of corporate security, PoPI will affect how organisations protect that data.

PoPI sets out eight principles that govern the conditions for the lawful processing of PI. Principle 7 deals specifically with security safeguards and covers the following areas:

* Security measures on integrity of personal information.

* Information processed by operator or person acting under authority.

* Security measures regarding information processed by operator.

* Notification of security compromises.

In terms of the security measures required to protect PI, organisations must take “appropriate, reasonable technical and organisational measures” to prevent its loss, damage, unauthorised destruction; and to prevent unlawful access or processing of the information. According to the Bill, organisations must:

* Identify all reasonably foreseeable internal and external risks to personal information in its possession.

* Establish and maintain appropriate safeguards against the risks identified.

* Regularly verify that the safeguards are effectively implemented.

* Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Finally, the organisation must have “due regard to the generally accepted information security practices which may apply to it generally or be required in terms of specific industry or professional rules and regulations.”

Broader security implications

Fall foul of PoPI and the consequences could be a R10 million fine or 10 years in jail. Internationally, such penalties are nothing new.

In August 2010, Zurich Insurance was fined £2 275 000 – about R25 million – by the UK’s Financial Services Authority after a back-up tape containing PI on 46 000 policy holders was lost the previous year by the company’s South African branch.

As an indication of the implications of complying with POPI, it’s worth considering the recent experiences of a local card-payments processor, PayGate. In an August 2012 cyber theft, hundreds of thousands of cardholder details were apparently stolen from the company.

When the theft became public in November, PayGate said it was in the process of attaining compliance with international standards that govern the protection of PI. In April this year, the company was duly certified as compliant with the security standards of the Global Payment Card Industry (PCI) Security Standards Council.

Peter Harvey, PayGate’s MD says, “PCI compliance means that any credit card information we handle on behalf of our clients and their customers is protected by multiple layers of security. In addition to the anti-virus and firewall protection customers would expect, all sensitive information is encrypted.”

According to Harvey, the process takes at least 18 months of serious effort and only a handful of South African businesses are currently PCI certified. To achieve compliance, Harvey says PayGate had to demonstrate that hundreds of controls were in place, ranging from firewalls, intrusion detection and file integrity management, through to staff training and the physical security of its offices and data centre.

PayGate’s experience clearly highlights the fact that protecting PI is not just a matter of IT security. Its protection clearly also extends into physical access control.

Understanding the threats to PI

It’s certainly not difficult for an organisation to “identify all reasonably foreseeable internal and external risks to personal information in its possession”. Research into the theft of PI is extensive, credible and readily available. For example, the annual Data Breach Investigations Report (DBIR) from Verizon has become a benchmark study into corporate data breaches, based on investigations into over 1700 real-life incidents in the past seven years.

The 2012 Report covers 855 breaches in which over 174 million PI records were compromised. It shows that abuse of IT access credential featured in 53% of the breaches – split between exploitation of default, or guessable credentials at 29% and the use of stolen login credentials at 24%.

As in every previous DBIR, the exploitation of credentials is cited as by far the leading ‘threat-action’ in these breaches.

Gaping loophole in corporate security

The abuse of conventional security credentials is so widespread, so well-documented and so frequent that it completely undermines the integrity of any system that uses them. The fact that anyone – absolutely anyone – can use your card, PIN or password is all the evidence that should be needed to illustrate their futility as a security measure.

But who will shout out that the Emperor is wearing no clothes? And will their voice be heard? Any system built around CPPs is no more robust than a skilfully-balanced house of cards.

It’s almost certain that the first organisations to be charged for failing to comply with PoPI will be from the industry sectors most frequently robbed of the PI they hold – financial services, hospitality and retail. It’s equally certain that credential abuse will lie at the heart of this loss – beyond a shadow of a doubt that’s what all the research into such real-world breaches tells us.

Blinded by compliance

One consequence of the advent of PoPI is the birth of a mini-industry offering professional advice about PoPI and the requirements for compliance. From the big law firms, through to the major accountancy firms and management consultants, there’s a wealth of free and fee-based advice and best-practice information out there on all aspects of PoPI and its ramifications.

The danger of this focus is that it encourages organisations to channel their security efforts and initiatives into a very narrow tunnel – protecting PI. This has the effect of diverting resources and attention away from the much greater risks posed by the growing cyber threat to corporate secrets or intellectual property.

Intellectual property is often the foundation of an organisation’s competitive advantage and its loss can carry commercial consequences that make PoPI’s monetary penalties seem insignificant.

And the cyber threat to corporate secrets is increasing as the value of stolen PI continues to fall, basically because the market has been flooded with multi-millions of such records. As with any commodity, once the market is saturated, prices drop. Dave Ostertag, global investigations manager at Verizon Business, says: “I think what we’re seeing is that there’s a big change in the type of data that criminals are going after. There’s a glut of personal data out there now, and there really isn’t a great market for it.

“The value of intellectual property, on the other hand, is much higher – criminals are finding that they can make as much money from stealing a smaller number of highly sensitive records as they can from stealing a big database of customer information.”

The growing threat to corporate secrets was also highlighted by a March 2011 report from McAfee, which stated that: “While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.”

Advanced and persistent

The term ‘Advanced Persistent Threat’, or APT, defines cyber-thefts that are sophisticated, determined and well organised. The other defining characteristic of an APT is the information it targets, corporate secrets.

In 2010, Ernst & Young and Deloitte published commentaries on the increasing cyber-threat to corporate secrets and emphasised the vulnerabilities created by traditional access credentials.

Deloitte stated: “In many cases cyber-criminals have obtained credentials and accessed systems as if they were actual employees and customers. When cyber criminals employ such users as unwitting accomplices… they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions and monitor keystrokes.”

Ernst & Young’s comments supported this opinion: “A common characteristic of APT malware is that it seeks to steal the credentials of valid users so that it can execute as a legitimate user and better evade detection.”

Perhaps a highly positive consequence of PoPI will be that it prompts organisations to rethink how they control access to all their systems and realise that it may be time to secure the foundations rather than adding another layer of shiny playing cards to the teetering construction that is IT security.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.