Did one simple issue crash Liberty?

The weakest link in an organisation of any size is always the human element.

Johannesburg, 17 Jul 2018

On 14 June this year, Liberty Holdings lost 40 terrabytes of data to hackers who threatened to make that data public unless Liberty paid a ransom. At the time of writing this article, Liberty hasn't paid the ransom, and the data has not been shared.

Ryan Roseveare, MD of BUI, says: "Companies across South Africa should be asking themselves, if a big listed company the size of Liberty Holdings can be hacked, what chance does a smaller business stand?"

It's a fair question. Bigger companies tend to have more budget to allocate to security, and often have dedicated security teams. How can a normal, everyday business defend its data?

Roseveare says: "Spokespeople from Liberty admitted in interviews with the media that IT hadn't been taken seriously for many years. Our view is, if any size of business has a proper security strategy in place, it should be able to quickly identify and respond to an event like this."

Reports have stated the 'hack' was made possible via e-mail systems, often the weakest link in any business, as all the cyber criminals require is one unsuspecting person for these hackers to gain access.

"It's unwise for businesses to put all their faith in one product when it comes to IT security; they should rather adopt an in-depth defence strategy, a layered security approach that covers all of the different aspects and possible areas of attack. From the latest attacks, it's evident that cyber criminals are no longer just encrypting data, they're holding it to ransom because they know that the regulator fines are so enormous, there's a good likelihood of the victim paying to protect their data from being exposed."

He's quick to point out the Liberty attack represents a whole new kind of cyber attack that's akin to kidnapping, where the data is taken and held to ransom, compared to a ransomware attack where the data is encrypted and can't be accessed by the business unless it pays a ransom.

It's clear that Liberty didn't have a predefined strategy on how to respond in the event of an attack of this nature, says Roseveare. The breach became apparent on 14 June; they only notified clients on 16 June and held a news conference on 17 June. In its communication to the public, Liberty assured clients that they'd suffered no financial loss as a result of the data theft.

However, says Roseveare, this is not strictly true for clients who are shareholders in the listed group. The Liberty Holdings share price fell significantly within days of the attack. The share price dropped 4.7% in the two days after the attack, wiping R1.68 billion off the firm's R34 billion market value. Thus, even without paying the ransom, Liberty Holdings suffered a significant financial blow.

The other problem with the time-frame above, says Roseveare, is that via the Pastebin Web site, the hackers claim to be holding 40 terrabytes of stolen data. "Firstly, it shouldn't be possible for that quantity of data to be taken without anybody noticing. Secondly, the cyber criminals must have had access to the network for significantly longer than a day."

While the Protection of Personal Information Act (POPIA) hasn't yet come into force in South Africa, the General Data Protection Regulation (GDPR) applies to any business that has the data of EU citizens. As an international business, this certainly applies to Liberty Holdings. Under the GDPR, companies have to notify customers within 72 hours if their data has been compromised. While Liberty ticked all of the relevant boxes around notifying its clients, will they withstand an investigation into their systems and processes around security, should that data be leaked by the cyber criminals, says Roseveare.

Security hints and tips

The questions that all business, small and large, should be asking themselves, is how they can protect their data against attacks like this. Only large enterprises can afford to invest in things like heavy duty database encryption, intrusion prevention systems, AI-based security software, enterprise grade anti- virus and a CISO to oversee it all.

The solution, says Roseveare, is to use a cloud-based service with teams of people to do all of this on your behalf, and backed with the appropriate security validations, staff and processes.

Another weak spot in most businesses, he continues, is the use of the same password across several accounts. Because passwords are having to become increasingly complex, people tend to use the same password for their social media, online banking and work-related accounts. Instead, businesses should conduct a password audit and follow up by implementing two-factor authentication to make it that much more difficult for hackers to access sensitive information.

Businesses are right to be nervous that they could be next, concludes Roseveare, as this year alone there have been significant data breaches at several local firms, with personal data exposed at a large property group and a fine payment Web site, just to name two.