Popi arms you against abuse of your personal details
Your personal information is up for grabs, which is why it’s good news that the Protection of Personal Information Bill has finally been signed into law. At a recent meeting of the Acsis/Personal Finance Financial Planning Club, Anna Collard, director of
If governments are heavily invested in developing spyware to gather information about their citizens, imagine what cybercrooks are doing to get hold of your personal information and how they might use it.
“Information leaked to the media by Edward Snowden, a former employee of the [ United States] National Security Agency, shows that nation states with significant personnel and technical resources at their disposal invest heavily in cyber malware,” says Anna Collard, director of Popcorn Training, a company that promotes awareness about information security.
Snowden has claimed that the US and Israel co- wrote the Stuxnet virus, a worm that targeted Siemens software used to control the operations of nuclear power plants, Collard says.
“It’s believed to have been created to attack Iran’s nuclear facilities in 2010, and apparently infected a nuclear power plant in Russia this year,” she says.
Then in 2011, Duqu surfaced. Also malware thought to be related to Stuxnet, it has been dubbed the “steal everything” virus for its ability to steal just about anything on a computer system, she says.
Like Stuxnet, it would have taken many years and a great deal of resources to develop.
“The developers of these viruses are not your stereotypical young geeks working in their parents’ garages; they’re professionals.”
Organised crime is also in on the action, Collard says. “Cybercrime is much more lucrative than the drug trade,” she says.
Cybercrooks release malware into the market to collect your
is any information that identifies or describes you, Anna Collard says.
The Protection of Personal Information Act defines personal information as “all information relating to an identifiable, living, natural person and juristic person”. All such persons are defined as “data subjects”.
Personal information includes gender, marital status, age, belief, birth date, blood type, identity number, email address, physical address or telephone number.
Your financial, educational, medical and employment history is also deemed to be personal information.
Special personal information is information about your children; religious or philosophical beliefs; race and ethnic origin; trade union membership and political opinions; health; sex life, or criminal record.
(malicious software) is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. A is malware that replicates itself in order to spread to other computers. information so that they can sell it underground, she says.
“You may have heard of ‘ransomware’. It’s a virus that pops up on your PC as a notice from what appears to be the police or another authority, claiming that you downloaded a movie illegally. You get instructed to pay a fine, and prompted to divulge your banking details.”
Collard says an email address can fetch 10 US cents (R1) and your credit card information, such as your CVV number could sell for between US$2 and US$15 (R20 to R151), but your bank account with log-in details will go for anything from US$ 15 to US$ 850 ( R151 to R8 570) depending on the amount in the account. This is according to McAfee’s 2013 cybercrime report.
With enough information, crooks can steal your identity and create fake bank accounts. Apart from being saddled with the debt acquired in your name, you will also need to reclaim your stolen identity, which can be very difficult and expensive, she says.
Malware is not the only means used by crooks to steal your personal information. “Phishing is the most common,” Collard says.
Phishing occurs when you respond to a fraudulent email that appears to be from your bank or a trusted source, but is not. The email induces you to click on a link in the email. A window pops up and you are prompted to enter your confidential banking information on a fraudulent website. This enables fraudsters to glean your account number and passwords.
“Spear phishing, which is a more targeted attack, is also widespread,” Collard says. “They find you online – perhaps on a social media site – and build a profile on you. They send you messages that look legitimate and gather as much of your personal information as possible. They may also target people employed in a human resources or IT department and bribe them into parting with the personal information of employees.”
Collard says that when information is stolen in targeted attacks on a company, this is known as “puddle phishing”.
Crooks also attack you through a “waterhole”, she says. “This is when cybercrooks infect a popular or topical website so that when you go to the site, they look for weaknesses in your browser, and when they find them, trick your browser into downloading and running malware silently to steal your personal information.”
With your personal information so valuable, companies that have legitimate reasons for collecting and storing such information have a responsibility to ensure that it doesn’t fall into the wrong hands.
If this does happen, Collard says that Popi affords you significant protection. The Act will regulate the collection and processing of personal information by both private and public entities. It will impose on them the following principles:
◆ Consent. Companies and public bodies have to obtain your consent to collect, retain and share your personal information.
◆ Notification. You must be informed if information about you is collected.
◆ Purpose. Information must be used only for the lawful and stated purpose.
◆ Access. You, as a data subject, will be allowed access to the information that is kept about you.
◆ Accuracy. The information about you must be accurate.
◆ Safeguard. Companies have to safeguard your personal information. Popi makes this a legal requirement.
◆ Breach of notification. Companies must notify you and the regulator should your personal information be breached.
◆ Accountability. Non-compliant entities can be fined up to R10 million or 10 years in jail. Collard says a director or information officer could face 10 years’ imprisonment for obstructing the activities of the regulator, and up to 12 months for other violations of Popi.
The Act applies to all, Collard says, from suppliers to consumers or customers – including members of retirement funds, medical schemes, policyholders and consumers who enter into a home loan or any other credit agreement.
The law also protects “prospects” by regulating how companies can contact you, as a prospective customer. This has far-reaching implications for direct marketers. If you haven’t given the company prior consent, it technically may not use any of your personal information.
“The Consumer Protection Act has an opt-out principle, which says companies can contact you provided you haven’t opted out. But Popi says you have to opt in. In other words, a company may not use your personal information to make contact with you unless you opted in – and gave consent to use your information to communicate with you.”
Collard says that Popi will allow direct marketers to contact you by post only and not electronically – except once to ask you for your consent to collect information.