Old Mutual hacked; no losses incurred
Financial services company Old Mutual has been hacked.
The company informed its clients that it detected unauthorised entry to one of its systems, which led to some personal customer information being accessed.
Old Mutual, however, did not disclose how many accounts were affected in the data breach.
"We moved swiftly to close access to the targeted system. Our control processes kicked in to safeguard customer portfolios and we can confirm that no customers incurred any financial loss," the company says in a statement.
It adds that no transactional details, credit card information, banking details, medical information or passwords were accessed. Immediate steps were taken to further tighten security, and its systems and surveillance remain on high alert, it notes.
Accessed information includes customer names, telephone numbers and some investment values.
"We would like to sincerely apologise for any concern this may raise with our customers. We view this case in a very serious light - one customer is one too many. We assure you we are conducting stringent reviews to ensure that no incident of this nature is repeated."
Old Mutual also pointed out the attack was not linked to the recent WannaCry virus which brought havoc on computer systems around the world.
After the hack, Old Mutual says it immediately shut down the unauthorised access point. "We also took immediate steps to further tighten our security controls and protect against any such incident happening in future. We have notified the regulators. We are co-operating closely with the SAPS and the investigation is ongoing."
Following the completion of an intensive internal investigation to fully understand the cause, Old Mutual says it will "take the necessary management actions".
Manuel Corregedor, chief operations officer at information security company Telspace Systems, speculates the motive of the hackers was to access personal information of clients and then to use that information as part of a more targeted attack, such as spear-phishing, and to commit identity theft or fraud.
"The truth is any organisation can be breached when an attacker is willing to invest resources and time into attacking the organisation. It's not a matter of 'if my organisation will be attacked, but a matter of when they will be attacked'. It must be noted Old Mutual identified and responded to the breach very well in terms of containing it and notifying the clients," says Corregedor.
He notes that once the Protection of Personal Information (POPI) Act is implemented, organisations will be required to disclose when a breach of personal information occurs.
"I am sure we will hear of more of these cases. However, for now, organisations are not required to disclose when such breaches occur."
He notes that cases such as Old Mutual, once again, highlight the need for organisations to put more proactive controls in place to detect and handle threats or breaches instead of only focusing on preventative controls.
It is definitely feasible that some organisations have been breached and are not even aware of the breach, Corregedor says.
"What is interesting to me is that they [Old Mutual] sent the notification," says Dominic White, CTO at information security company SensePost.
"South African companies have long kept such breaches private. The change is most likely due to POPI. But it's still a brave move from Old Mutual to take this step. Typically, this sort of announcement moves markets, but neither the JSE nor FTSE stock price seems to have been affected much."
Hopefully, White says, this bravery from Old Mutual will embolden others, when breached, to empower consumers with the information, even without the threat of POPI fines.
John Giles, a legal advisor at law firm Michalsons, says Old Mutual currently does not have to comply with the many obligations POPI places on responsible parties.
"It looks like Old Mutual is already complying with most of the obligations POPI will impose on them with regard to breach notifications," he says.
"Affected clients should take steps to protect themselves from harm. They should contact the organisation which informed them about the breach to understand what happened so that they can take the necessary and appropriate steps. In this case, customers have to contact Old Mutual in order to understand what actions they need to take to prevent or minimise any losses."