Cryptocurrency trading platform Africrypt, a private Durban-based crypto trading platform established in 2019, suffered a loss of R50 billion this April. Not only did South Africans, and other international clients, lose billions of Rands but hundreds of thousands of clients’ personal information was compromised contravening the Protection of Personal Information Act (POPIA). The directors Raees (20) and Ameer (17) Cajee, the two brothers who built and own Africrypt, have disappeared. Africrypt was granted provisional liquidation on the 26th of June by the Gauteng South High Court. The matter has been reported to the Hawks and the brothers have until 19 July to argue against liquidation. The brothers have disappeared, but it is believed that they are in London or Dubai.
In a letter to clients Africrypt stated:
“We regret to inform you that due to the recent breach in our system, client accounts, client wallets, and nodes were all compromised. At this point, it is unknown to us the extent of personal client information breached during the attack.”
Hanekom Attorneys’ Darren Hanekom, who has investigated the hack on behalf of multiple clients, has said that:
“We believe, and we now have more evidence to suggest, that the Cajees were acting on behalf of a much bigger international syndicate.”
He further stated that “It is very unlikely that they managed to rope in more than R50 billion from investors.”
Furthermore, he believes “This was a money-laundering operation“.
A burning question, however, is what could they have done to mitigate the risks of this attack? One answer is by implementing a standard like ISO/IEC 27018.
What is ISO/IEC 27018?
ISO/IEC 27018 is the first international Standard regarding the privacy of cloud computing services which was promoted by the International Organisation for Standardisation (ISO). It is a code of practice for protecting personally identifiable information (PII) in public clouds acting as PII processors.
This standard is internationally accepted and establishes objectives, controls, and guidelines for implementing measures to protect PII and assists organisations in adhering to the POPI Act. It is based on the principles of ISO/IEC 29100 which provides a framework to protect the cloud computing environment.
Why does an organisation need ISO/IEC 27018?
The ISO 27018 certification establishes a baseline of security for any business that does any cloud-based processing. Simply, the standard helps any organisation of any size to reduce security risk by establishing a baseline for any cloud-related business. ISO 27001/27018 also helps organisations like government entities, public and private companies, NGOs, and any other services that process PII via cloud computing to adhere to the requirements of the POPI Act which, if contravened, could mean a fine of up to R10 000 000 or imprisonments which is likely the case for the Cajee brothers.
What are the benefits of ISO/IEC 27018?
There are multiple benefits obtained when implementing ISO/IEC 27018. Some of these benefits include:
- Improved security and legal protection: ISO/IEC 27018 helps businesses to comply with the POPI Act while reducing the risk of prosecution by those whose personal information might be breached.
- Improved global operations: Since ISO/IEC 27018 is an extension of ISO 27001 (a guideline for establishing an Information Security Management System) it is an internationally recognised standard. This means recognition by stakeholders that an organisation is committed to the security practices of information processing as recognised globally.
- Streamlined sales processes: Security is a major point of contention for any organisation and even more so for any cloud-based operations. ISO 27018 helps reduce that friction as it simplifies the amount of information required for corporate security to sign off.
- Better security for a post-pandemic world: According to PWC the spending involved in cloud computing was up by 37% in 2020. This significant rise is said to be due to remote working but inevitably this brings along with it a higher risk of cyberattacks. ISO/IEC 27018 implementation is a solution to mitigating this risk.
How do I implement ISO/IEC 27018 into an organisation?
With WWISE’s expert consultants, engineers, and registered auditors. WWISE has a 4-phase approach:
- Phase 1: Gap Analysis Audit and Information Gathering
- Phase 2: ISO Documentation, Risk Assessment, and Process Mapping
- Phase 3: Implementation and Training
- Phase 4: Certification
WWISE provides a holistic solution that includes templates, coaching, training, and mentorship. As a consulting firm, we do not provide certification services. However, we will guide you through the certification process and ensure that your business becomes certified.