‘Liberty breach should never have happened’ — cybersecurity expert
A cybersecurity specialist has said that — contrary to claims made by Liberty Holdings — the recent major data breach demonstrates that the financial services company is actually not fully in control of its data infrastructure.
Andrew Chester, managing director of security specialist firm Ukuvuma Cyber Security, said on Monday the fact that information was so easily accessible demonstrates an “alarming” lack of security in place to protect clients.
Liberty chief executive David Munro said the company is in control of its technology and data infrastructure and is working with authorities to get to the bottom of a data breach which occurred on Thursday evening.
He maintained that no clients — whom the company alerted of the breach on Saturday evening via text message — suffered any financial loss as a result of the breach.The company is currently working with authorities to investigate the breach and has since said the company did engage with the external parties involved to determine their intentions.
Munro confirmed no concession was made in the face of this “attempted extortion”, saying, “Liberty is at an advanced stage of investigating the extent of the data breach, which at this stage, seems to be largely emails and possibly attachment.”
In the wake of ransom threats, Chester asked of the company why it had unstructured email data and attachments that were left unmonitored and more importantly, why this data was not encrypted.
“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.
Though Chester told the Mail & Guardian he could not speculate on how exactly the breach occurred, he is able to surmise that the hackers were very successful in obtaining the what ought to be highly protected information — a fact that betrays the company’s less than impervious security infrastructure.
Chester said that the breach could have been avoided simply by applying general data security practices such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.He called these protections “low-hanging fruit” in the greater scheme of security infrastructure.
Chester also noted a relative lack in corporate South Africa when it comes to knowledge on cybersecurity. While the country is certainly progressing in this area, many companies are unaware of the most basic security measures, he added. He called on South African companies to educate themselves on how best to protect their data systems.
“These breaches are not difficult to prevent,” he said. “Companies ought to make it as difficult as possible for hackers to access this data, and they do not have to spend millions to do so.”
The significance of the Liberty breach, despite the possibility that client personal data was leaked, is that the incident could be the first South African case subject to the General Data Protection Regulation (GDPR) since its inception on 25 May 2018, Chester explained.
The GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.“How many big corporate data breaches are we unaware of that occurred before the implementation of GDPR? … Should client personal data leak onto the dark or public web, a lot of personal liability issues become a reality for Liberty,” he said.