ALERT: WEBSITE NOTICE TO – ALL CLIENTS, FINANCIAL SERVICES PROVIDERS, OTHER SERVICE PROVIDERS OR PERSONS DOING BUSINESS WITH THE COMPANY AND PAST AND PRESENT STAFF MEMBERS
Section 22(1)(b) Notice
In accordance with section 22(1)(b) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (“the Act”), the company hereby notifies all those persons to whom any personal information relates who are clients of the company, financial services providers and other service providers or persons doing business with the company, as well as all past and present staff members, that:
- the company has received a cyber-security report confirming that it has been the subject of a coordinated social engineering attack by a person or persons unknown who illegally targeted its data files; and
- the company’s cyber-security consultants, iSquared, believe that this compromise was made possible due to the lockdown regulations requiring staff to work remotely from home; and
- despite this act of criminality, the company’s IT business infrastructure remains robust, has continued to operate and function without any loss of data, is secure and under its control, with an off-site business continuity platform, with full replicated data, to enable immediate recovery should the need arise; and
- no client investments or monies have been affected; and
- in accordance with section 22(5) of the Act, the following information is provided to allow all clients of the company, financial services providers and other service providers or persons doing business with the company, as well as all past and present staff members, to take protective measures against the potential consequences of this unfortunate incident, namely –
5.1 as per sub-section 22(5)(a) of the Act, the company hereby sets out a description of the possible consequences of the security compromise, namely that, as a result of the attacker gaining access to and copying a file server, the prescribed personal information the company is obliged to obtain from those doing business with it or employed by it, in terms of, amongst others, the Financial Intelligence Centre Act, 2001 (Act No. 38 of 2001), the Financial Advisory and Intermediary Services Act, 2002 (Act No. 37 of 2002) and the Income Tax Act, 1962 (Act No. 58 of 1962) could be disclosed to third parties or exploited by the attacker for personal or commercial gain; and
5.2 as per sub-section 22(5)(b) of the Act, the company hereby sets out a description of the measures the company has taken to address the security compromise, namely the company’s cyber-security consultants have, amongst others,:
– prioritized the immediate protection of information, which comprises both business data files and client data files; and
– initiated the company’s off-site business continuity back-up system to have the company back online without any disruption should the need arise; and
– undertaken an in-depth investigation and interrogation of the company’s entire IT environment and infrastructure; and
– essentially scrubbed and rebuilt all its computers, as an extra precaution, putting on all new software; and
– advised the company that they have further enhanced the company’s IT infrastructure with security protocols of an exceptionally high standard; and
5.3 as per sub-section 22(5)(c) of the Act, the company hereby sets out a description of the measures recommeded to be taken to mitigate the possible adverse effects of the security compromise, namely:
– change all passwords required when dealing with or on the company’s platform; and
– regularly change passwords, both on the company’s platform and other platforms; and
– monitor electronic devices for any abnormal behaviour or activity and be vigilant at all times; and
– confirm electronic correspondence to and from the company with an in person communication; and
– monitor inboxes for suspicious looking phishing emails and immediately delete them, without opening them; and
– do not link on an email to change passwords.
5.4 as per sub-section 22(5)(d) of the Act, the company hereby confirms that the real identity of the unauthorised person who accessed or acquired the personal information is unknown, but the company will continue to investigate this further and assist the authorities where required.
Questions & Answers
Given the formalistic nature and tone of the above notification required in terms of the Act, a list of Questions & Answers has been compiled to provide as much information as possible to assist clients, financial services providers and other service providers or persons doing business with the company, as well as all past and present staff members. The Questions & Answers are incorporated by reference as additional information to the above section 22(1)(b) notice prescribed by the Act.
Click here to read the Questions & Answers.