Liberty may face Europe's GDPR wrath after hack
The Liberty hack could be the first South African incident subject to the General Data Protection Regulation (GDPR) since its inception on 25 May.
So says Andrew Chester, MD of Ukuvuma Cyber Security, who points out that the GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.
In a statement issued yesterday, Liberty, a financial services company, said it regrets to confirm that it has been subject to illegal and unauthorised access to its IT infrastructure. It noted that an external party illegally obtained data from Liberty and demanded payment.
"Liberty was alerted of the intrusion into its network late on the evening of 14 June. Liberty specialist teams immediately began investigating the incident, prioritising the protection of customer details and of the security of the company's IT systems. The relevant authorities were also alerted. As soon as Liberty was able, customers were informed via e-mails, SMSes and via a media statement on the afternoon of 16 June," it said.
David Munro, Liberty CEO, says: "Our team of dedicated IT specialists and security personnel have devoted all their efforts around the clock to ensure that we live up to duty of care to protect our customers and their details. We immediately identified and addressed specific vulnerabilities the Liberty IT infrastructure may have had, ensuring the integrity of our customer data.
"We can confirm that we are in full control of our IT environment. To our customers, we totally understand the concerns they might have about the impact of this act of criminality. We did engage with the external parties involved to determine their intentions, but we made no concessions in the face of this attempted extortion."
The firm says it is at an advanced stage of investigating the extent of the data breach, which at this stage seems to be largely e-mails and possibly attachments.
"At this stage, there is no evidence that any customers or the group have suffered any financial losses."
However, Chester says Liberty claims it is in control of its technology and data infrastructure after a massive data breach but the fact that hackers could extract data undetected is alarming. He points out that cyber criminals are now claiming a ransom to not release the information of Liberty's top clients and this news has sent panic through the insurance and finance industries.
"Why did Liberty have unstructured e-mail data and attachments that were left unmonitored, and more importantly, why was this sensitive data not encrypted? When doing threat hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected," says Chester.
"Additionally, how did the hackers know where to find the data? If it was an inside job, they might have been tipped off, but if it wasn't, it means they spent enough time on the infrastructure to know where to look, which is very alarming," he explains.
Liberty's share price on Monday morning opened at a high of R126.69 per share and by lunchtime, the share price had declined by 4.3% to R119 per share, wiping away an estimated R1.5 billion.
The effect of the hack was not confined to Liberty, as banking shares also suffered on the day, bearing in mind that Liberty is owned by Standard Bank.
Chester says another point to consider is how the hackers gained access. "It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means they could have used that person's permissions to get into the system."
He believes this could have been avoided simply by applying general data security practices, such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.
"It's also quite alarming that no one detected the breach until the hackers themselves informed Liberty. There's a common saying that you sometimes don't know you've been hacked until law enforcement comes knocking at your door, but in this case Liberty only found out once the criminals had contacted them," he adds.
Thus, he notes, this could be the first South African incident subject to the European data privacy law, GDPR.
SA's data privacy law, the Protection of Personal Information Act, is still to come into force. Following similar data breaches, the information regulator said it is not yet fully functional to be able to deal with such incidents.
However, the regulator has reportedly summoned Liberty to explain how it was hacked.
Reuters reports that the regulator said it was concerned about the data breach and wanted to meet the insurer to get more details.
"The information regulator has noted with concern various media reports regarding a material data breach at Liberty Holdings," Pansy Tlakula, chairwoman of the regulator, said in a statement.