‘Liberty breach should never have happened’ — cybersecurity expert

A cybersecurity specialist has said that — contrary to claims made by Liberty Holdings — the recent major data breach demonstrates that the financial services company is actually not fully in control of its data infrastructure.

Andrew Chester, managing director of security specialist firm Ukuvuma Cyber Security, said on Monday the fact that information was so easily accessible demonstrates an “alarming” lack of security in place to protect clients.

Liberty chief executive David Munro said the company is in control of its technology and data infrastructure and is working with authorities to get to the bottom of a data breach which occurred on Thursday evening.

READ MORE: Data breach under control and under investigation, says Liberty CEO

He maintained that no clients — whom the company alerted of the breach on Saturday evening via text message — suffered any financial loss as a result of the breach.The company is currently working with authorities to investigate the breach and has since said the company did engage with the external parties involved to determine their intentions.

Munro confirmed no concession was made in the face of this “attempted extortion”, saying, “Liberty is at an advanced stage of investigating the extent of the data breach, which at this stage, seems to be largely emails and possibly attachment.”

In the wake of ransom threats, Chester asked of the company why it had unstructured email data and attachments that were left unmonitored and more importantly, why this data was not encrypted.

READ MORE: Liberty refuses to pay hackers

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Though Chester told the Mail & Guardian he could not speculate on how exactly the breach occurred, he is able to surmise that the hackers were very successful in obtaining the what ought to be highly protected information — a fact that betrays the company’s less than impervious security infrastructure.

Chester said that the breach could have been avoided simply by applying general data security practices such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.He called these protections “low-hanging fruit” in the greater scheme of security infrastructure.

Chester also noted a relative lack in corporate South Africa when it comes to knowledge on cybersecurity. While the country is certainly progressing in this area, many companies are unaware of the most basic security measures, he added. He called on South African companies to educate themselves on how best to protect their data systems.

“These breaches are not difficult to prevent,” he said. “Companies ought to make it as difficult as possible for hackers to access this data, and they do not have to spend millions to do so.”

The significance of the Liberty breach, despite the possibility that client personal data was leaked, is that the incident could be the first South African case subject to the General Data Protection Regulation (GDPR) since its inception on 25 May 2018, Chester explained.

The GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.“How many big corporate data breaches are we unaware of that occurred before the implementation of GDPR? … Should client personal data leak onto the dark or public web, a lot of personal liability issues become a reality for Liberty,” he said.

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever. But it comes at a cost. Advertisers are cancelling campaigns, and our live events have come to an abrupt halt. Our income has been slashed.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years. We’ve survived thanks to the support of our readers, we will need you to help us get through this.

To help us ensure another 35 future years of fiercely independent journalism, please subscribe.

Sarah Smit
Sarah Smit
Sarah Smit is a general news reporter at the Mail & Guardian. She covers topics relating to labour, corruption and the law.

Stella set to retain her perks

Communication minister will keep Cabinet perks during her two months of special leave

Not a sweet deal, Mister

Mister Sweet workers say they will not risk their health, and the lives of others, to continue producing and packaging confectionaries

Covid-19 grounds Nigeria’s medical tourists

The country’s elites, including the president, travelled abroad for treatment but now they must use the country’s neglected health system

Nehawu launches urgent court bid over protective gear for health...

The health workers’ union says the government has rebuffed its attempts to meet about mitigating risks to workers

Press Releases

Rahima Moosa Hospital nursing college introduces no-touch facial recognition access system

The new system allows the hospital to enrol people’s faces immediately, using artificial intelligence, and integrates easily with existing access control infrastructure, including card readers and biometrics

Everyone’s talking about it. Even Kentucky

Earlier this year South African fried chicken fast-food chain, Chicken Licken®, launched a campaign for their wallet-friendly EasyBucks® meals, based on the idea of ‘Everyone’s talking about it.’

New energy mix on the cards

REI4P already has and will continue to yield thousands of employment opportunities

The online value of executive education in a Covid-19 world

Executive education courses further develop the skills of leaders in the workplace

Sisa Ntshona urges everyone to stay home, and consider travelling later

Sisa Ntshona has urged everyone to limit their movements in line with government’s request

SAB Zenzele’s special AGM postponed until further notice

An arrangement has been announced for shareholders and retailers to receive a 77.5% cash payout

20th Edition of the National Teaching Awards

Teachers are seldom recognised but they are indispensable to the country's education system

Awards affirm the vital work that teachers do

Government is committed to empowering South Africa’s teachers with skills, knowledge and techniques for a changing world