Social Security Commission leaks data (2018)

 The Namibian reported in the edition of 11 June 2018 (https://www.namibian.com.na/68242/read/SSC-leak-exposes-personal-info-online), about the data leak noticed last week on the website of the Social Security Commission (SSC). The reporters that took up the story were able to alert the appropriate staff and the data leak was closed on Sunday, 10 June 2018.

As the leak has now been closed, the following is an overview of the occurrence and what should have been done to prevent such events in other organisations.

The Director of the Namibia Consumer Protection Group (NCPG), Milton LOUW, is an IT expert and owner of Aardvark Investments, a company that often undertakes tracing for insurance companies wishing to trace people who are due monies but their contact details are no longer current.

On Thursday 7 June 2018, a routine search for “Box 1141, Oshakati” showed the following results on Google.

Clicking on this link opened up the following page.

Once in this directory, there are 1,885 files in this directory which consists of submission to the SSC. Some of these files include very personal information such as ID number, SSC Registration number, and even salaries of certain companies. . PLEASE note that the information is from around 2013- 2018 and it is personal information that should not be in the public domain.

In addition to files submitted to SSC by companies, there was also adirectory of files containing the signed performance Performane Agrrements of top managers for the period 2016/17.

Are my company files compromised?

PLEASE NOTE: All inquiries regarding the information of employees and employers should now be addressed to the Social Security Commission: Chariold.Auchab@ssc.org.na, Tel: +264 61 2807712.

What happened?

The website was created with the default directory www.(company).na/files/downloads. In this directory were placed all the electronic forms that employers can use to submit their employee details.
Unfortunately, the webmaster also used this directory to download all the files submitted to the SSC. This directory for ovious reasons needs to be available to the public, search engines, etc. and this did not have a prohibitive .htaccess file.

How to prevent this?

The public face of the company / organisation through its online presence should always be kept seperate from information received from its clients via the internet. This means that any and all correspondence from customers should be automatically routed to a directory that is not part of the public domain.

Conclusion

This is the first, and certainly not the last data breach that the media will report on. Namibia has to develop its security and implement the Electronic Transactions, Data Protection, and Access to Information Acts.
NOTE: .htaccess is the default name for a file that is used to indicate who can or cannot access the contents of a specific file directory from the Internet or an intranet.

DEBT REVIEW needed for consumers

One of the biggest problems in starting a family is that most of the things I want, such as furniture, motor vehicle, etc. costs more money than what I earn in a month. The only option for purchasing these high cost items is to either save or to take it on credit. For myself, I have learned the hard way that it is better to save and buy later, rather than purchase on credit and not be able to afford the monthly payments later.

Unfortunately, most consumers still prefer to buy on credit and can find themselves borrowing recklessly and then becoming “over-indebted”. In many countries of the world, a law has been enacted as a National Credit Act that promotes an effective, fair and accessible credit market and to help protect consumers from “reckless lending” and “over-indebtedness”. Unfortunately, Namibia has not yet enacted many such consumer laws yet.

Under such a credit environment, debt counselling is included as a tool to help consumers get out from under debt. These debt counsellors must be trained and certified so that they can assist consumers with debt problems, help to design debt repayment plans and negotiate on behalf of the consumer with creditors to enable the consumer to afford their monthly debt payments. (This process is called Debt Review). The idea behind debt counselling is to help clients reduce their overall debt with creditors in the most cost effective way. At present, with no legal framework in place for debt counselling, the consumer only has two remedies when they cannot pay their debt: administration and sequestration.

There are, however, severe disadvantages to both of these and they disempower you as a consumer. If your debt is lower than N$50 000 you may apply to have your debt placed in administration. Under administration order a large part of your disposable income can forcibly be taken to repay your debts and comes with an administration charge of up to 12,5 percent of each instalment you pay. This would mean that for every N$100 you pay in debt, N$12.50 would go to cover the cost of the administrator. Under sequestration you lose all your assets, as they are sold to cover as much of your debt as possible and you will need permission from a court-appointed trustee if you want to borrow any money. This disempowering of the consumer needs to be addressed and this is the core reason for introducing debt counselling under a Credit Act. The biggest attraction is that under a credit law the process is regulated and designed to prevent creditors from harassing you and prevent the loss of crucial assets.

In addition – unlike with administration orders – as much as 95% of your monthly payment will go to pay your debts under a debt counselling plan. There is a cost to debt counselling – after all the service is being provided by a trained and certified professional. In the regulations of the law, the Credit Regulator will be able to determine tariffs for an application fee, rejection fee (if you are found not to be indebted), the debt counsellor fee, as well as after-care fees. One of the further benefits is that such a law would enforce more rigidly the “in duplum” rule, which under common law limits the interest that a creditor may charge on any debt you incur. This common law rule holds that the creditor may not charge more interest once the unpaid interest equals the outstanding debt.

I hope the Ministry of Finance will look urgently into the matter of over-indebtedness – which I believe affects more than 15 000 households in the country

Unclaimed Monies in the Namibian Financial Sector

 

List No. 4 is being released on 1 September 2023

All  Pension Funds in Namibia must in the month of January each year publish statements of benefits that have remain unclaimed for a period of five years or more in terms of section 93(1) of the Administration of Estates Act, 1965 (Act No. 66 of 1965) in the Government Gazette.

NAMFISA has noted in 2019 that not all funds have been publishing these lists as required and is busy enforcing this. 

Several funds are using the Consumer Registration Database of over 1 million records and have had some success in tracing these members or their beneficiaries. A database has also been created to capture all the data from thepublishezd Gazettes since the early 1970’s. It is expected that by February 2023, this database will be available to the public.

You can search to see if you or your family are beneficiaries of unclaimed monies:

GIPF: https://www.gipf.com.na/member-benefits/unclaimed-benefits/

Sanlam: 

1. https://milton-louw.blogspot.com/2022/11/unclaimed-monies-newsletter-no-1-of.html 
2. https://milton-louw.blogspot.com/2022/11/unclaimed-monies-newsletter-no-2-of.html 
3. https://milton-louw.blogspot.com/2022/11/unclaimed-monies-newsletter-no-3-of.html 

Due to so much interest in the Unclaimed Monies lists, there is now a form for you to register and see if there is unclaimed money for you.

https://forms.gle/J7r6Cbjnv2gwwY1u9

Law Society of Namibia leaks personal data of its members (7 July 2023)

Namibia does not yet have a legal framework to protect personal details such as full names, date of birth and personal contact details. In fact, many businesses and government departments are not even trained in what is considered personal information. Take for example the website of the Law Society of Namibia (LSN). On its “Find a Firm or Practitioner” page (https://lawsocietynamibia.org/find-a-firm-or-practitioner/), it shows public information in a browser window, namely Name, Surname, Designation and Industry. If, however you investigate the coding of the page, it will also give you the Full Names, Date of Birth, and Personal Cellular Number of all its members. 

 The ability to save information on a computer and share this electronically necessitates legislation to be promulgated that protects the abuse of this information. These laws are especially necessary in our Information and Communication enabled society where information is stored on electronic retrieval systems. 

 The Namibian Constitution states in Article 13 Privacy: “(1) No persons shall be subject to interference with the privacy of their homes, correspondence or communications save as in accordance with law and as is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.” The Constitution thus guarantees only “Physical Privacy”. The storage of personal and business information (“Informational Privacy”) must have legislation that will prevent misuse of this information. In addition, the individual in Namibia must be able to access any, and all, information that is stored by the state (public institutions). 

 There are thus things that are needed to guarantee informational privacy: 

1. Data Protection Act; 

2. Privacy and Electronic Communications Regulations; 

3. Freedom of Access to Information Act 

 The Namibia Consumer Protection Group (NCPG) once again calls on the broader society in Namibia to become aware of the need for data privacy and protection and encourages open discussion and what can be done. The NCPG will be preparing Public Facing Information Reports for our largest businesses and vulnerable person to encourage them to manage their data better. 

 As for the members of the Law Society, you should expect correspondence from me regarding the data leaked as well as on any other public facing information you need to manage.

Example of data leak at LSN: 

Mr

RB

Ralph Bazil

Strauss

23/12/1963

29/04/2011

Director

Practice

Dr Weder, Kauta & Hoveka Incorporated

Windhoek

061 - 275 550

061 - 220 553

061 - 238 802

081 146 1414

strauss@wkh-law.com

P O Box 864, Windhoek

WKH House, Jan Jonker Road, Ausspannplatz

Ministry of Finance

B.Comm LLB

Namibian Students Financial Assistance Fund leaks over 10,000 records

 

The Namibian Ministry of Information and Communication Technology is busy inviting comments from the public on the draft Data Protection Bill till the end of November 2022. Some of your rights as a consumer whose data is being collected and processed will allow for you to have information corrected or removed as well as punishments for non compliant entities.

In October 2022, it was found that the Namibia Students Financial Assistance Fund had placed files on their website to indicate the successful students who have received assistance. One of the files, placed in November 2019, was a 106 page document that included the following information:

• Last Name
• First Name
• Unique ID
• Namibian ID
• Email
• Cellphone Number
• Students Number

All in all, 10,972 students details with all necessary information to steal their identity was placed inadvertently on the Internet.

Over the past week, all the students on the list have been contacted (and added to this newsletter) to inform them of the data leak. It must also be noted that the NSFAF has also blocked any downloads from their site after they were informed of the incident.

Unfortunately, until the law is in place, there is no recourse for anyone whose identity has been stolen in this manner.