A man looks at dating website Ashley Madison as a hacker group made good on its pledge to release user data stolen from the affair dating website, creating a potential privacy and security debacle for millions. (Eva Hambach, AFP)
Cape Town - The data dump by the AshleyMadison.com hackers is a warning to South African firms on the importance of securing client information, says a local expert.
Hacker group The Impact Team stole over 30 million users' personal and financial information from the cheating website.
"In the case of the Ashley Madison website, it is interesting to note that the apparent driving factors for The Impact Team's hack is related to moral reasoning, where they are attempting to stand up against the use of the website which enables people in relationships to cheat on their partners," said Candice Sutherland, business development consultant at Stalker Hutchison Admiral Specialist Underwriters.
"The nightmare may not be over for the victims as the hackers still have over 290GB of photos and emails which are yet to be released," said Sutherland.
In Canada, Ashley Madison is already facing a $578m class action lawsuit over the breach.
If this breach had to happen to a South African company, Sutherland indicated that heavy fines could be imposed.
This is because local companies that fail to take adequate measures to protect client information on the internet could find themselves in breach of the Protection of Personal Information (Popi) Act.
"Popi aims to give effect to the constitutional right to privacy and therefore restricts the unauthorised access to information regarding the educational, medical, financial, criminal or employment history of an individual as well as their personal details such as ID numbers, contact details and physical addresses," Sutherland said.
"In addition, all personal details that are shared with an organisation in confidence, be it race, gender, marital status, religion, culture, sexual orientation and even language, are protected under Popi legislation and a breach of the act can result in a fine of up to R10m or 10 years in prison."
A regulator for Popi has yet to be appointed, but South African companies are still expected to toe the line.
Data loss protection
South African companies could also be particularly exposed if an Ashley Madison style breach had to happen locally.
According to a report from security specialist firm Trustwave, only 38% of local companies said that they had organisational measures in place to prevent the loss of unauthorised data.
And in the event of a data breach, the risk is that few local organisations would even divulge data loss.
"In South Africa, no. Nobody's going out there to publically announce that they had a data breach. That would be quite catastrophic for them. However, I do agree that there is a responsibility with that company to go through that process to notify you - not 32 days later," Andrew Kirkland, Trustwave regional director for Africa told Fin24 recently in reference to a high profile Sony attack.
Do you think local companies are doing enough when it comes safeguarding your information online? Tell us by clicking here.
- Follow Duncan on Twitter