What is the purpose of the Cybercrimes Act?
The act recognises cybercrime as a criminal offence under South African law. The legislation, which is post-incident in nature, defines different types of cybercrimes and provides methods for investigation. It was imperative for South Africa to have clear definitions of cybercrimes in order to effectively regulate and prosecute them. Such crimes include cyber extortion, unlawful access to a computer system or computer data storage medium, cyber fraud, and malicious communications, including unlawful distribution of intimate images.
The act affects all individuals and organisations in South Africa who use the internet for communication or the processing of data. Professionals in cyber risk and governance will have to ensure that their organisations comply with the act. The bill’s journey started in 2015, and after years of debate, reviews, and amendments, the country began enforcing most sections on 1 December 2021. The increase in usage of technology for communication, particularly during the COVID 19 pandemic, and the rise in cyber-attacks during the lockdown period starting from early 2020, has sustained the government’s push to intensify regulation on cybercrime.
What is cybercrime?
Cybercrime is one of the fastest growing criminal industries worldwide. Cybercrime is the use of computers and digital platforms to commit illegal activities and can be driven by different motives, such as revenge or monetary gain. Cybercrime includes crime enhanced by the use of the internet (such as smuggling, trafficking, and trading of illegal goods) and crimes that depend on the internet (such as ransomware, credit card fraud, and sextortion). The FBI’s 2021 Internal Crime Report indicated that internet crimes had risen 7% from 2020 and reported financial losses exceeding USD 6.9bn from scams, such as business email compromise, phishing, and ransomware.
According to an article in South African news website Independent Online (IOL), cyber security firm Surfshark revealed that South Africa was ranked as having the sixth-most dense cybercrime in the world, as cybercrime victims rose from 11.8 victims per one million internet users in 2016 to 14.1 victims in 2019, and 50.8 in 2020.
Data from the Seerist CORE risk monitoring platform shows that most organised cybercriminal campaigns target organisations in finance and insurance, energy and utilities, and government, but any organisation can be targeted. Cybercriminals usually launch attacks through phishing or brute force attacks. Phishing remains one of the most prevalent modes by which cybercriminals commit fraud, with many perpetrators cooperating across international borders. For example, a cybercriminal group called PerSwaysion (which conducts payment diversion fraud) has been tracked by independent researchers to a network of individuals based in South Africa, Nigeria, and Vietnam. Payment diversion fraud is a type of attack in which threat actors acquire the email address of an unwitting victim and then impersonate a target organisation's supplier to request via email a payment to a seemingly legitimate bank account under their control.
Phishing is an attempt to obtain private and confidential information of individual internet users, such as usernames, passwords and credit card details. Cybercriminals generally send out emails or contact victims through instant messaging, and disguise themselves as genuine or official correspondents. Phishing emails or messages often contain malware-infected web links. Spear phishing is a variant of phishing that targets specific groups of people who have at least one thing in common; for example, they may work in the same company, attend the same university, use banking services at the same financial institution, or order goods and services from the same websites.
On a global front, cybercrime is a growing concern to countries at all levels of development, according to the UN Conference on Trade and Development. While 156 countries have enacted cybercrime legislation, the pattern varies by region. Europe has the highest adoption rate of cybercrime legislation, while Africa has the lowest. The evolving cybercrime landscape and skills gaps in the teams investigating cybercrimes are a significant challenge for law enforcement agencies and prosecutors, especially for cross-border enforcement.
Cybercrime in South Africa
Over the past two years, South Africa has continued to experience a number of high-profile cyber-attacks against some of the largest organisations in the country, including critical national infrastructure. Such organisations include Transnet – a state-owned freight logistics company – which was targeted by a Ukraine- and Russia-based cybercriminal group engaged in ransomware extortion, as well as South Africa’s Department of Justice and Constitutional Development, which was targeted by a similar extortionist group in September 2021.
More recently, in March 2022, TransUnion – one of South Africa’s leading credit bureaus – was targeted by extortionists based in Brazil. The TransUnion attackers stole a wealth of data, including names, ID numbers, dates of birth, gender, contact details, marital status and information, employer details, and other personal information of South African consumers registered with TransUnion. South African news site ITWeb reported that the hacker group responsible, N4aughtysecTU, was demanding USD 15m (ZAR 224m) in ransom and that they had stolen 4TB of data from TransUnion, including the personal records of 54m South Africans.
The numerous cyber-attacks on South African organisations have perpetuated further cybercrime. Fraudsters have leveraged the information obtained in previous cyber-attacks to access personally identifiable information (PII) for malicious purposes.
Digital forensics and cyber investigations
The South African Cybercrimes Act 19 of 2020 requires financial services institutions and electronic communications service providers (ECSPs) to report all offences to the South African Police Services (“SAPS”) within 72 hours of becoming aware of the offence. The law empowers investigators and prosecutors to investigate, trace, and prosecute cybercriminals. The commencement of certain sections of the act were implemented soon after the September 2021 attack on the justice department.
Chapter 4 of the act gives law enforcement the power to investigate, search, access, and seize digital devices via a search warrant. However, authorities have recognised the need for more rapid roll outs of investigations into cyber incidents. The SAPS are required to setup a 24/7 point of contact for all cybercrime reporting. Digital forensics and cyber incident response skills and resources will be in demand to accommodate quick and accurate investigation turnaround periods. SAPS is the leading agency to coordinate investigations both domestically and in response to international requests for assistance.
The Cybercrimes Act is linked to the Protection of Personal Information Act (POPIA), which safeguards the integrity and sensitivity of personal and private information. During cybercrime investigations, experts often require access to information from devices to contextualise matters under investigation. This can include personal information, and it is therefore important for investigators to consider POPIA to ensure that there are no legal repercussions.
Although there have been challenges in apprehending cybercriminals, there are some high-impact success stories, such as the recent apprehension of cybercriminals suspected of online fraud, romance scams, and money laundering. According to an article by INTERPOL dated 5 April 2022, a fraud gang suspected of swindling a US-based company out of some EUR 455,000 was taken down in raids across Johannesburg thanks to investigators from the Hawks Serious Commercial Crimes Unit, US Secret Service agents, and INTERPOL. The operation was reportedly part of a global initiative under the framework of INTERPOL’s Global Financial Crime Task Force (IGFCTF), where 14 countries including South Africa and the US cooperate closely to tackle the global threat of cyber-enabled financial crime.