According to IBM’s Cost of a Data Breach Report 2023, the average cost of a data breach for South African organizations was R49.45 million.1
The cost segments can be broken down to the following: lost business costs (business disruptions and revenue losses from system downtime) at 8.31%; detection and escalation (costs related to detecting a breach such as forensic and investigative activities, crisis management) at 26.97%; post-breach response at 35.51%; and notification costs (notifying data subjects, data protection regulators and third parties) at 29.21%. The above provides a simplistic idea of how costs would be allocated in the event of a breach and how it would impact an entity which has purchased a cyber risks insurance policy with a limit of indemnity of R50 million. These costs could be mitigated by risk management solutions such as: employee awareness training, having an incident response team, implementing encryption on systems and ultimately risk transfer in the form of insurance. In contrast, the costs could potentially be exacerbated/increased by the absence of an information security posture, lack of regulatory compliance or having a high complement of employees that work remotely.
Data breaches are costing South African companies a lot of money. Considering that the average cost per breached record peaked at R2,750, imagine the financial impact on a retailer such as JD Group that had a data breach affecting 500,000 of its customers.2 Considering the other costs involved in a data breach, it is easy to contemplate that a data breach would have a significant financial impact on a retailer. No organization is immune – any entity holding data is at risk – a credit bureau holding the information of more than 30 million customers would be a particularly lucrative target. According to TransUnion’s June 2022 update,3 the data breach affected five million customers (who had their personal information exposed, which includes date of birth, gender, email address and marital status etc. exposed) and a further 5,2 million customers who only had their identity numbers affected with no other personal information being linked to them. From a business perspective, 600,000 entities were potentially affected by the data breach. The following (costly) actions were taken by TransUnion to protect consumers and businesses: where contact information was available, they directly contacted customers and entities; provided free-subscriptions to their tools; and free access to personal/business credit reports. Beyond these potential costs, Brazilian based hacker group N4aughtySec Group have demanded $30 million each from TransUnion and Experian as reported by Times Live.4 This amount is approximated to be about R565 million and does make sense giving the sensitivity of the information and the number of records held.
To add salt to the wound, the ransom demands have not been considered in the cost breakdown. To contemplate these from a cyber perspective, one needs to understand what ransomware is, and what some of the trends related to it are. Ransomware can be defined as malicious software that is used to lock and encrypt systems and files, rendering them unusable. Bad actors utilise them to cripple victim’s systems in exchange for a ransom payment. Ransomware can be spread through email (phishing), desktop sharing software (products that allow remote access and remote collaboration) and web applications. According to The State of Ransomware 20235 report by Sophos, 78% of South African companies were affected by ransomware attacks for the period January – March 2023 (2022: 51%). This percentage increase is the highest amongst the 14 countries that responded. These statistics make sense when one considers that there were 564 notifications to the Information Regulator between October 2022 and February 2023.6
Ransomware does not discriminate across industry-type. According to the Sophos report, industries which have suffered significantly from ransomware attacks are business and professional services, higher education, media, leisure and entertainment. From an insurance perspective, this would highlight the importance of having cyber risks insurance cover which includes business interruption as part of the organization’s risk transfer strategy. Considering the current economic climate in South Africa, this is only worsened by issues such as loadshedding.
Given the ease with which it is deployed, and the success which it has enjoyed, ransomware is here to stay, and the attacks will continue to evolve. Just some of the ransomware trends are:
- Encryption-less ransom attacks: encryption-less attacks contradict the true essence of ransomware attacks as ransomware attacks utilise encryption. These attacks are premised on gaining access to sensitive data and then threatening to release it rather than encrypting it. It relies on psychological pressure and can lead to faster ransom demands, reputation damage and regulatory consequences.
- Triple extortion: Triple extortion is when criminals make use of three levels of pressure. Typically, attacks that are double extortion in nature mean that the criminal/threat actor would encrypt the client’s data and demand a ransom after that. If a ransom is not received, the data will be sold or published on online forums. The third layer to this, which makes it triple extortion, is when threats are also made to the victim’s third parties that were impacted, which could be suppliers.
- Ransomware-as-a-service: Ransomware-as-a-service can sound like a hitman for hire – however, it is a legitimate business model which is subscription/affiliate/licensing or partnership-based that is building on the selling or renting of ransomware tools to buyers who want to execute ransomware attacks.
- Targeting entities that have cyber insurance: Given the increase in cyber threats, it is likely that most entities will purchase cyber insurance in order to transfer the risk of paying a ransom. The Sophos report states that 58% of the 771 entities surveyed had a standalone cyber policy that had their ransom paid for. From the 139 that were surveyed in South Africa, 45% of had their ransom paid and had their data returned. However, as per any sort of insurance, there are requirements that need to be met. These include, but not limited to, the use of multifactor authentication, reliable backup solutions, employee awareness training, regular patch management, data encryption, and the use of email security.
So, what type of ransom demands are being seen? From a global perspective, the highest ransomware demand was for $70 million by a group called Revil which occurred in 2021. The ransomware attack affected approximately 1,500 businesses.7 Bad actors frequently request payment in cryptocurrency such as Bitcoin due to the ease with which it can be purchased, the ease of verification on blockchain and the anonymity it provides.8
The statistics relayed above are reflective of the fact that all entities are susceptible to a cyber attack. It is of paramount importance that there is boardroom-to-basement cyber awareness in the workplace; and stakeholder buy-in on cyber risk management. It is vital that all South African organisations assess and address their cyber risks posture appropriately in order to ensure that they don’t pay the price for the lack thereof – a cyber risks insurance policy might be the difference between the survival or closure of an entity.
1 Cost of a Data Breach Report 2023, IBM Security, 2023
2 Labuschagne, “Over 500,000 Incredible, HiFi Corp, and Everyshop customer records possibly hacked”, MyBroadBand, 31 May 2023, https://mybroadband.co.za/news/security/494091-over-500000-incredible-hifi-corp-and-everyshop-customer-records-possibly-hacked.html
3 TransUnion, 01 June 2022, Update: March 2022 South African Cyber Incident [Press Release], https://newsroom.transunion.co.za/update-south-africa-cyber-incident/
4 Skiti, S, “Hackers demand $60m from TransUnion, Experian for ‘new’ SA data theft”, TimesLive, 23 November 2023, https://www.timeslive.co.za/news/south-africa/2023-11-23-hackers-demand-60m-from-transunion-experian-for-new-sa-data-theft/
5 The State of Ransomware 2023, Sophos, 2023 https://assets.sophos.com/X24WTUEQ/at/c949g7693gsnjh9rb9gr8/sophos-state-of-ransomware-2023-wp.pdf)
6 Mzekandaba, “Info Regulator gets candid about SA’s data breach woes”, ITWeb, 17 February 2023, https://www.itweb.co.za/article/info-regulator-gets-candid-about-sas-data-breach-woes/VgZeyvJlQrbMdjX9
7 Office of the Director of National Intelligence, 2021, Kaseya VSA Supply Chain Ransomware Attack, https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/Kaseya%20VSA%20Supply%20Chain%20Ransomware%20Attack.pdf
8 Jareth, “Is ransomware driving up the price of Bitcoin?”, emisoft.com, 03 September 2019, https://www.emsisoft.com/en/blog/33977/is-ransomware-driving-up-the-price-of-bitcoin/#:~:text=Bitcoin%20accounted%20for%20about%2098,part%20of%20the%20ransomware%20model