‘Liberty breach should never have happened’ — cybersecurity expert

A cybersecurity specialist has said that — contrary to claims made by Liberty Holdings — the recent major data breach demonstrates that the financial services company is actually not fully in control of its data infrastructure.

Andrew Chester, managing director of security specialist firm Ukuvuma Cyber Security, said on Monday the fact that information was so easily accessible demonstrates an “alarming” lack of security in place to protect clients.

Liberty chief executive David Munro said the company is in control of its technology and data infrastructure and is working with authorities to get to the bottom of a data breach which occurred on Thursday evening.

READ MORE: Data breach under control and under investigation, says Liberty CEO

He maintained that no clients — whom the company alerted of the breach on Saturday evening via text message — suffered any financial loss as a result of the breach.The company is currently working with authorities to investigate the breach and has since said the company did engage with the external parties involved to determine their intentions.

Munro confirmed no concession was made in the face of this “attempted extortion”, saying, “Liberty is at an advanced stage of investigating the extent of the data breach, which at this stage, seems to be largely emails and possibly attachment.”

In the wake of ransom threats, Chester asked of the company why it had unstructured email data and attachments that were left unmonitored and more importantly, why this data was not encrypted.

READ MORE: Liberty refuses to pay hackers

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Though Chester told the Mail & Guardian he could not speculate on how exactly the breach occurred, he is able to surmise that the hackers were very successful in obtaining the what ought to be highly protected information — a fact that betrays the company’s less than impervious security infrastructure.

Chester said that the breach could have been avoided simply by applying general data security practices such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.He called these protections “low-hanging fruit” in the greater scheme of security infrastructure.

Chester also noted a relative lack in corporate South Africa when it comes to knowledge on cybersecurity. While the country is certainly progressing in this area, many companies are unaware of the most basic security measures, he added. He called on South African companies to educate themselves on how best to protect their data systems.

“These breaches are not difficult to prevent,” he said. “Companies ought to make it as difficult as possible for hackers to access this data, and they do not have to spend millions to do so.”

The significance of the Liberty breach, despite the possibility that client personal data was leaked, is that the incident could be the first South African case subject to the General Data Protection Regulation (GDPR) since its inception on 25 May 2018, Chester explained.

The GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.“How many big corporate data breaches are we unaware of that occurred before the implementation of GDPR? … Should client personal data leak onto the dark or public web, a lot of personal liability issues become a reality for Liberty,” he said.

We make it make sense

If this story helped you navigate your world, subscribe to the M&G today for just R30 for the first three months

Subscribers get access to all our best journalism, subscriber-only newsletters, events and a weekly cryptic crossword.”

Sarah Smit
Sarah Smit
Sarah Smit is a general news reporter at the Mail & Guardian. She covers topics relating to labour, corruption and the law.

Related stories


Already a subscriber? Sign in here


Latest stories

Khoisan people march to constitutional court

List of demands includes recognition of indigenous rights and the scrapping of apartheid racial classification as ‘coloured’

Improving cross-border trade policy is vital in solving the African...

Governments need to invest in agricultural and trade infrastructure, better farming methods and in intra-African trade

Eskom fails to approach courts in property ‘garbage sale’

The power utility said it would go to court to declare ownership of land not registered to it, but has not done so

Women climbing the corporate ladder need good mentorship – from...

We need to help younger women grow and to handle the difficult situations in workplaces

press releases

Loading latest Press Releases…