While unconfirmed at this stage, we have reason to believe a hacker or hackers may have been able to breach one of our systems. All our customers funds (ZAR or Crypto), account balances and passwords are safe and unaffected by the suspected breach. In compliance with section 22 of POPIA, we are required to notify data subjects that may have been affected, by a breach of personal information, irrespective of whether the breach is comparatively insignificant or severe.
According to the spokesperson of the Information Regulator, since POPIA was enacted, South African firms have had no less than 139 data breaches. These include the big banks like FNB, ABSA, Standard Bank, credit unions, insurers and others. Unfortunately, we have reason to believe we are the latest in this long line of firms to have been targeted.
We were contacted by an unknown person/s on the 28th of December claiming they had gained access to our CRM system, in which they threaten AltCoinTrader with reputational damage unless their ransom gets paid. While not confirmed, it is always prudent to assume that the threat is credible at this early stage.
It is not AltCoinTrader’s policy to ever succumb to ransom demands as we believe this makes the company and our clients a greater target for future attempts. It is for these reasons that the personal information relating to our customers is completely segregated from the information relating to funds, account balances and passwords, meaning a breach in one area will not result in any danger to your funds (Crypto or ZAR). That being said, we are required to notify authorities and data subjects in circumstances where there may have been a breach in their personal information, to allow customers to take any precautionary measures they deem fit.
We believe the information that may have been exposed by the hack includes the sensitive and personal information of our clients. For the avoidance of doubt this may include names, physical and email addresses, contact details, identity numbers, usernames, FICA documents, as well as less sensitive information such as previous queries you may have logged on our platform. No password information or information pertaining to funds have been breached.
The potential consequences of such a breach, unlikely as it may be, is that hackers may use this personal information, contact you directly (pretending to be a representative from AltCoinTrader (or other institution) and attempt to leverage their knowledge of your personal information for other nefarious purposes, or try to get additional information from you that may compromise your accounts at other institutions...they may even try to get your AltCoinTrader password. Please never share this type of information with anybody no matter who they claim to be.
In terms of the suspected breach, we have notified the South African Information Regulator and are opening a criminal case with SAPs. We commit to working with authorities in the hope that the perpetrators will get caught and face the full force of the law.
We are currently investigating the veracity of the suspected breach and if/how the breach would have occurred so that any system vulnerabilities that can be exploited are fixed. As an additional measure, for your peace of mind we have instituted a control that places blocks on accounts after only 3 failed password attempts.
Unfortunately, we live in a world where these types of events are happening on an ever-increasing basis, even within some of the most secure online environments in the world. If you are concerned it is always good practice to use 2-factor-authentication and strong passwords, never disclose your passwords to anybody and to regularly update passwords associated with accounts that hold any of your funds. You can find out more information about ensuring your account is secure from our Help Centre. We thank you for your understanding and will keep you appraised of any material outcomes of the investigation.