Latest big corporate data breach: why Liberty's clients should be bringing it to book
Andrew Chester, MD of Ukuvuma Cyber Security asks a few burning questions after the recent announcement that hackers got their hands on Liberty clients' sensitive data.
Clients of insurance giant Liberty Life received an alarming piece of news per SMS on Saturday evening: Liberty had been notified of a data breach of client information the previous Thursday evening. On Sunday, the Sunday Times reported that hackers wanted "millions" from Liberty in order to not release the information of their top clients. This news, of course, has sent ripples through the insurance, finance and cyber security industry, says Andrew Chester is the Managing Director of Ukuvuma Security.
The announcement itself is quite interesting, because as far as we know, this could be the first South African incident subject to the General Data Protection Regulation (GDPR) since its inception on 25 May 2018. The GDPR, which Liberty has to conform to because of its European stakeholders, states companies must send out breach notifications to their clients. This poses the burning question: how many big corporate data breaches were we unaware of before the implementation of GDPR?
So, what did hackers get a hold of at Liberty? What we know thus far is that unstructured e-mail data and attachments were compromised. This raises a few worrying questions, of which the first is: why did Liberty have unstructured e-mail data and attachments that were left unmonitored? Secondly, why was the sensitive data not encrypted? The third question is: how did the hackers know where to find the data? If it was an inside job, they might have been tipped off, but if it wasn't, it means they spent enough time on the infrastructure to know where to look, which is very alarming. Finally, the fact that they could extract the data from within Liberty undetected is even more alarming.
When we do threat hunting or a security analysis for a client, this is one of the first thing we look for: how easy it is to extort data without anyone noticing.
Another point to consider is how the hackers gained access. It most likely happened in one of three ways: it was either an inside job; or someone with the correct privileges was hacked, which means they could have used that person's permissions to get into the system; or or a vulnerable software system and/or ICT operation was exploited and compromised. However, it must be stated that no matter which of these turns out to be true, much of this could have been avoided simply by applying general data security practices, such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.
It's also quite alarming that that no one detected the breach until the hackers themselves informed Liberty. There's a common saying that you sometimes don't know you've been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them.
As a Liberty client, I am very worried. Should client details, such as ID numbers, leak onto the dark or public Web, a lot of personal liability issues become a reality. I think the unfortunate truth is that Liberty will be raked over the coals for this, and it could end up costing the company millions in real and reputational damage.
Andrew Chester is the Managing Director of Ukuvuma Security. As a Certified Information Security Systems Professional (CISSP), he has honed his skills in regions across Africa and the Middle East, where he headed up cyber security, threat hunting and incident response teams for large multinationals. Contact Ukuvuma Security at email@example.com or phone us on 086 101 7444.