It’s time for a healthy dose of paranoia
After the TransUnion breech, people should be getting wiser about protecting their personal information
Please send a copy of your ID or passport, I am often asked. Sometimes it’s for events, sometimes to book a flight. But my answer is always no.
No, I reply to the e-mail, I don’t even keep a digital version or picture of these utterly important documents on my devices, let alone do something as foolhardy as send them via e-mail.
Most companies and travel agents are stumped. Some try to reassure me that “This is how we always do it” or “We’ve never had a problem”.
I politely point out that if my personal details were somehow compromised and my identity stolen and used fraudulently online, how would they know?
Also, as I now point out — perhaps in defence of my justified paranoia — there is this little legislation called the Protection of Personal Information Act (Popia) that makes it a crime to collect people’s personal data and not keep it securely or allow it to be stolen.
E-mail is the least secure way to transmit anything — just ask the gleeful hackers and phishers who have ripped off or conned people out of their life savings.
After the TransUnion hack, people should be getting wiser — and more paranoid — about protecting their personal information.
How can a company comply with Popia if the very means (like e-mail or WhatsApp) they use to get a person’s information is itself insecure? Clearly, not many people have thought this through.
Certainly not the medical industry, which continues to e-mail ID numbers on all invoices, including people’s home address and contact numbers.
While we are on the subject, perhaps the medical establishment might want to rethink sending notifications via SMS. I had an outstanding balance of R57.10 to pay to a radiologist whose bookkeeper called me in exasperation to ask why I hadn’t paid the amount. “But how do I know it is really from you?” I asked.
It’s a random SMS from a long string to numbers telling me to pay money into someone’s bank account. Most of the time we call that spam or phishing.
My next question is: “If your company hasn’t understood the risks of this kind of communication, how can I take you seriously?”
Many other medical companies and insurance providers have taken to sending password-protected PDFs. What is the usual password? Your sixdigit birthday. Sometimes, for added security, they make it eight digits, like the year itself is somehow making it more secure. Really? Everyone’s birthday is visible on just about every social media. That is no longer a secret.
It’s a move in the right direction, but people need to be more demanding about the security of their personal data — as paranoid as most South Africans are about the physical security of our houses, but even more obsessive. Old habits, such as e-mailing or WhatsApping IDs, are no longer safe and should be verboten. Please don’t do it ever again.
It’s your data, you’re the one who has to diligently protect it.