In support of the Association of Certified Fraud Examiners’ International Fraud Awareness Week from 3 – 9 November 2013, we have prepared various articles relating to fraud. This is the first article, written by Bruce Thornton (Associate Director, Forensic), and relates to identity theft in South Africa.
Recent examples of identity theft have not only highlighted the apparent ease with which South African documents are falsified, causing reputational damage to the country, but also generally raised awareness internationally about the vulnerability of data containing sensitive information.
Recent events that have focused adverse international attention on identity theft in South Africa have included the use of a false SA passport by Samantha Lewthwaite, a British citizen and widow of one of the so called 7/7 suicide bombers, who was reportedly involved in the Nairobi Westgate attack.
Another example was the imposition of visa requirements on South Africans by the UK, after it was found that about 6 000 illegal Asian immigrants had been smuggled into Britain using South African documents.
These events focus attention on the growing incidence of ID theft across the world. A major focus is on the global data revolution and the fact that it is estimated that 90% of the data in the world today has been created within the last 24 months. Much of this data contains personal information, and carries the risk that this personal information can be obtained by unauthorised people who can use the information to the detriment of the legal owners.
Incidents that have set international alarm bells ringing have included:
- In 2010, a large multinational insurer stated that it had lost approximately 46 000 records containing customers’ personal information. It was later divulged that there was a South African connection as the security breach arose when customer information sent to a South African subsidiary company for processing, resulted in the loss of an unencrypted back-up tape during a routine transfer to a data storage centre. This breach resulted in the insurer receiving a hefty fine from the UK’s Financial Services Authority
- More recently, in October this year it was reported that Adobe had suffered a massive security breach which compromised the IDs, passwords, and credit card information of nearly three million customers
Personal information obtained illegally can be manipulated resulting in a devastating impact on unsuspecting individuals. Once in possession of a stolen ID document, criminals can use the acquired identity to gather or create additional information.
The growth in use of smartphones and the spread of programmes such as ‘Trojans’ into these devices have exacerbated the problem of identity theft. Our online lives have enabled easier illegal collation of our personal information to take place. Criminals armed with this information can create debt, make in-store or online card purchases and even obtain fraudulent passports without the knowledge of the person concerned.
The bottom line is that stolen personal information has become a commodity. The price of the stolen information increases based on the financial standing of the individual whose information has been stolen.
With the increased online availability of stolen personal information there is also a commensurate increase in identity theft to enable buyers of such stolen data to fraudulently access the benefits associated with such stolen information.
Although South Africa has not yet experienced a spike in hacking incidents linked to the theft of persona, some industry experts expect ID theft to surpass traditional theft due to the perceived anonymity associated with ID theft.
The protection of personal information by entities is therefore set to play a critical role in the prevention of future ID theft.
In South Africa this concern has been reflected in the Protection of Personal Information Bill (POPI), which will soon be signed into law. This Bill seeks to support the right to privacy of personal information of South African citizens and, also protects personal information collected and processed by organisations.
The Bill requires a custodian of third party personal information to have adequate measures to secure the integrity of personal information from, amongst other things, theft, loss, damage, unauthorised destruction and unlawful access or processing of personal information. The Bill also requires custodians of this information to identify and constantly update safeguards against identified risks to personal information in their possession.
The holder of information is also required to ensure that, where there is reasonable suspicion that personal information has been accessed or acquired by an authorised person, the processing party must notify the regulators and the person whose personal information may have been subject to unauthorised access.
The response to the challenge of identity theft has led directly to the highlighting of the need for improved security and the legislative responses of many international governments.
However, reality dictates that as the world of technology leads to the further proliferation and distribution of personal information, further challenges will arise requiring innovative action to prevent the devastating effect that abuse of data can have on individuals and entities that are impacted by this illegal activity.
If you have any questions or require a more detailed discussion, contact Bruce Thornton (Associate Director, Risk Advisory, Forensic at Deloitte & Touche) at firstname.lastname@example.org