NEWS ANALYSIS

Like millions of South Africans, I was jolted out of my Sunday morning snooze by an SMS from Liberty, telling me that its data had been hacked. As limited information about the attack has slowly filtered out, it has only served to raise more questions than answers.

If it was “largely” emails and attachments, whose emails and what attachments — and does this mean my bank statements and medical records are in the hands of cyber-extortionists?

Recommendations to “be vigilant” and secure all my passwords may be good in general, but they’re not very helpful when there is nothing I can do to change my ID number, my address or my bank account details.

The same is true of several major data breaches that have hit South Africa in recent months, such as the infamous masterdeeds breach that left more than 60-million South Africans’ personal records openly accessible over the internet.

But ultimately, what has been most disturbing about the Liberty attack hasn’t been the lack of concrete information or the intense speculation about how the attackers managed what they did in the first place.

What has been most alarming for me as a consumer is the reality that, in practical terms, there is currently little recourse for South Africans when data breaches like this happen.

Central parts of the Protection of Personal Information (Popi) Act — the key law meant to protect personal information passed in 2013 — are not yet in force, legal experts point out.