In S v Phungula, the Specialised Commercial Crimes Court convicted Phungula of theft of personal data. The court found Phungula guilty of fraudulently obtaining the personal data of more than 23 million people and business-related data of almost 800 000 businesses. Phungula intended to sell this data for more than R4 million. He faces a 15-year prison sentence.

We are monitoring developments in this matter as Phungula is awaiting sentencing. We will update this post once we have new information.

Who should care about this judgment and why?

  • The general public because their personal data is vulnerable to scammers especially if they bought items on credit.
  • Companies that store and process large volumes of data because they are a target for cyber criminals.

What could you do about it?

  • Join our Cybercrimes Law workshop and contact us for help with keeping your business safe from cybercrime.
  • Look out for the Southern African Fraud Prevention ServiceĀ (SAFPS) biometric-enabled authentification tool, Secure Citizen. This is a free tool that is set to be released in mid 2023. This tool allows you to control your digital identity and apply for protective registration so that you can transact online in a safer manner.

Our insights on the judgment

If your IT security measures are weak, you leave your systems vulnerable to the real possibility of a cyber-attack from a cyber-criminal who could be anywhere in the world. A cybercrime by one of your employees or an attack from a cyber-criminal can have devastating consequences for your business. If you are fined or imprisoned for example:

  • Your business and your brand could suffer from irreparable reputational damage.
  • You could lose your business as a result of an exorbitant fine.
  • You could lose valuable customers because they no longer trust your brand.
  • Loss of revenue.
  • You may not be able to attract new customers.

Beef up your information security

In several reports online, information security officers said that cyber-criminals are becoming more sophisticated in their attacks. It is therefore necessary for organisations to boost their information security efforts to curb cyber-attacks.
Organisations therefore need to be more vigilant in detecting any risks to the data they hold by beefing up their information security measures tools to reduce the risk of a cyber-attack. You should regularly monitor your systems to ensure that any data you hold is secure from harm. Organisations should look to invest in software that can detect any possible threats to an organisationā€™s IT infrastructure.

Digest

Facts

In May 2020, Experian, a data services firm, experienced a data breach. The company only detected the breach in July 2020 – more than a month later. Phungula had impersonated businessman and requested access from Experian to data of approximately 23 million consumer information and almost 800 000 business records.

By impersonating the businessman, Phungula was able to successfully log into the Experian Secured File Transfer Protocol (SFTP) where he downloaded both consumer and business information.Ā It was only after the credit bureau invoiced Tails-Holding that Experian discovered that neither Tails Holdings, nor its CEO, had engaged with Experian.

Experian suffered significant financial harm and reputational damage because of the data breach. In a sentencing hearing that took place in March 2023, Experian’s CEO said that they were unable to provide marketingĀ services to their clients which resulted in a loss of R65 million in revenue.

Experian paid the National Credit Regulator an administrative penalty of R5 million.

Order

The Specialised Commercial Crimes Court found Phulunga guilty of fraudulently obtaining personal and business-related data.

Details of S v Phungula

The judgment from the Specialised Commercialised Crimes Court is not available online. We’ve written this summary based on news articles we’ve read online. We will share a copy of the judgment once we source a copy.