Question

employees regarding the risk of cybercrime attacks.”

Nedbank clients were in shock on Thursday morning, after it was reported that 1.7 million customers may have had their data breached. Nedbank client's identity numbers, addresses and contact details may have been breached after a "data security incident" at a direct marketing company. According to a statement, Nedbank said they have investigated a data security issue that occurred at the premises of a third-party service provider, namely Computer Facilities. Computer Facilities is a direct marketing company that issues SMS and email marketing information on behalf of Nedbank and a number of other companies. A subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients. No Nedbank systems or client bank accounts have been compromised, the banking institution said. "Once we became aware of the issue, we engaged as a matter of urgency with the service provider and leading forensic experts to conduct an extensive investigation.” It should be noted that Nedbank identified the data security issue at Computer Facilities as part of our routine and ongoing monitoring procedures. "We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities. Information from Nedbank Retail relating to approximately 1,7 million clients were potentially affected of which 1,1 million are active clients." "This incident is isolated to the third-party service provider’s systems. As a further precautionary measure, Computer Facilities’ systems have been disconnected from the internet until further notice.” “We regret the incident that occurred at the third-party service provider, namely Computer Facilities and the matter is receiving our urgent attention. The safety and security of our clients’ information is a top priority. We take our responsibility to protect our client information seriously and our immediate focus has been on securing all Nedbank client data at Computer Facilities, which we have done. In addition to this, we are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities,” Nedbank CEO Mike Brown said. Nedbank Group Chief Information Officer Fred Swanepoel said: “Computer Facilities did not have any links to our systems. Our team of IT specialists and external cyber security experts have been working continuously with them since we became aware of this matter. Clients’ bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss. Nedbank remains vigilant in its efforts to contain cybercrime.” Nedbank said that they have advised Computer Facilities of their obligation to notify any of their other customers potentially impacted by the incident. Clients’ bank accounts are not at risk and they do not need to take any further action other than continuing to be vigilant against attempts at fraud.

Source: https://www.iol.co.za/personal-finance/my-money/banking/warning-if-you-are-a-nedbank-client-your-data-may-have-been-breached-42651750 [Accessed on 17/02/2020].

QUESTION 1 (20) As stated above, “South African information technology experts have warned businesses and consumers to back up their databases and to train employees regarding the risk of cybercrime attacks.”

In light of the above, advise businesses and consumers in South Africa on some measures and techniques which can be adopted in order to help suppress such cybercrime attacks as mentioned above.

QUESTION 2 (20)

As stated by the Nedbank CEO, Mr Brown: “Our immediate focus has been on securing all Nedbank client data at Computer Facilities, which we have done. In addition to this, we are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities.”

Critically discuss whether Nedbank had indeed taken appropriate steps after becoming aware of such data breach. If not, suggest other steps which should have been taken after becoming aware of the data breach.

QUESTION 3 (20)

In light of the above, critically discuss the effectiveness of South African legislation which governs privacy and the protection of private data in South Africa.