/ 22 June 2018

Another day, another data breach

(John McCann/M&G)
(John McCann/M&G)


Like millions of South Africans, I was jolted out of my Sunday morning snooze by an SMS from Liberty, telling me that its data had been hacked. As limited information about the attack has slowly filtered out, it has only served to raise more questions than answers.

If it was “largely” emails and attachments, whose emails and what attachments — and does this mean my bank statements and medical records are in the hands of cyber-extortionists?

Recommendations to “be vigilant” and secure all my passwords may be good in general, but they’re not very helpful when there is nothing I can do to change my ID number, my address or my bank account details.

The same is true of several major data breaches that have hit South Africa in recent months, such as the infamous masterdeeds breach that left more than 60-million South Africans’ personal records openly accessible over the internet.

But ultimately, what has been most disturbing about the Liberty attack hasn’t been the lack of concrete information or the intense speculation about how the attackers managed what they did in the first place.

What has been most alarming for me as a consumer is the reality that, in practical terms, there is currently little recourse for South Africans when data breaches like this happen.

Central parts of the Protection of Personal Information (Popi) Act — the key law meant to protect personal information passed in 2013 — are not yet in force, legal experts point out. And the information regulator, advocate Pansy Tlakula, has, since her appointment in 2016, been battling bureaucracy to get her office fully established.

At the heart of the impasse is whether the information regulator should be listed as a schedule 3 entity under the Public Finance Management Act (PFMA) — which means it would need a board as its accounting authority. This is a view held by the treasury and the department of public service and administration, according to a recent presentation by the regulator to Parliament.

But Tlakula told the Mail & Guardian that the regulator’s position is that it should not be listed under the PFMA, as it functions outside the sphere of national or provincial government. The regulator’s position is that the Popi Act, provides for the appointment of a chief executive officer, who is also its accounting officer.

She believes the intent of lawmakers was to create a regulator that was completely independent, in line with other constitutional bodies such as the South African Human Rights Commission.

This mirrors a recent opinion from the Open Democracy Advice Centre (Odac), which argued that the minister of finance cannot list a public institution under the PFMA if it functions outside the sphere of national or provincial government, as per section 47(4)(b) of the Act.

The powers of Tlakula’s office extend not just to private companies but also to the state, and incorporate not just the protection of personal data but also the facilitation of information through the Promotion of Access to Information Act (Paia), according to Odac.

Importantly, the information regulator can hold the responsible parties accountable for not complying with Paia, it noted.

According to Odac, as of 2012, only 16% of access to information requests under Paia were granted, and 54% were simply ignored.

Speculation is that one reason for the hurdles facing Tlakula’s office is that, this way, the government does not risk being forced to make uncomfortable information public.

But Tlakula disagrees. “That has not even occurred to me,” she told the M&G. “At best, it’s probably because the importance of this body might not have been appreciated in some quarters.”

The Liberty case, although unfortunate, comes with a silver lining, Tlakula noted. “South Africa has now awoken to the reality that we need the information regulator,” she said.

Government by its nature was very bureaucratic and “things move slowly” said Tlakula. But she had been in communication with new finance minister Nlhanlha Nene to address the matter.

“Our view is it is not a train smash,” she said. Resolving the listing matter should not be a pre-requisite to the establishment of her office she said.

Central to Popi are eight conditions that must be met for the processing of personal information to be lawful, according to Avani Singh, a director at legal advisory firm ALT Advisory.

These conditions include that: the purpose for collecting and processing personal information must be defined upfront, appropriate and reasonable measures must be put in place to secure the confidentiality and integrity of personal information being held, and data subjects’ rights must be upheld to enable them to access personal information being held about them.

Penalties for failing to comply with the Act include administrative fines of up to R10‑million or imprisonment, or both.

But, Singh pointed out, the only sections of the Popi Act in force are the definitions, the provisions relating to establishing the office of the regulator, and the powers and procedures for making regulations.

“The substantive provisions, most notably the eight conditions for the lawful processing of personal information, are not yet in force,” she said.

The recent major data breaches in South Africa “are a stark reminder” of the urgent need for the Popi Act to be brought fully into force without further delay, to enable the information regulator to achieve its mandate and safeguard the rights of data subjects in South Africa, she said.

“Importantly, the information regulator needs to be properly resourced, and enjoy full structural and operational independence.”

Although Popi’s powers are limited, the recent implementation of European data protection laws — the General Data Protection Regulation (GDPR) — may yet prove a headache for companies in South Africa that hold personal data.

Although the GDPR is a European Union law, it does provide for the possibility of extraterritorial application under certain circumstances, Singh noted.

For instance, a South African business that offers goods or services to data subjects within the EU is also required to comply with the GDPR, she said — and, as with Popi, it provides for administrative fines.

In the case of the GDPR, these can amount to up to €20‑million or 4% of global turnover in the case of undertakings — whichever is higher.

But, Singh added, under both Popi and the GDPR, the regulator has discretion over the size of the fine. Each complaint must also be assessed on its own merits, taking into consideration, for instance, the severity of the breach and measures taken by the organisation to comply with the law.

Tlakula acknowledged the acute limits on her powers, but said that this did not make the regulator “toothless”. Citing the recent ViewFines case — in which the personal data of almost a million South African drivers was breached — the company allegedly responsible, Aggregated Payment Systems, gave extensive responses to the regulator, she said. Companies have proactively engaged with the regulator in the event of breaches and also seek advice from her office about the implementation of the law.

Dominic White, chief technology officer at cyber consultancy firm SensePost, which has done work for Liberty in the past, said that, given how little information has been provided by Liberty, the intense speculation about the attack risked doing more harm than good.

Given the complexity of information technology infrastructure, particularly in large organisations, there are myriad ways for attackers to breach a company’s network, he said.

More broadly, however, the commercialisation of personalised data has long been a problem in South Africa. For example, it is relatively easy to get a credit bureau report on someone for a nominal fee, White said.

“The hope is that Popi will make it harder for people who have never spoken to you or garnered your consent to use your personal data.”

In a world in which cybercrime is a growing concern, large financial firms have been some of the largest investors in security, said White. But the concern is that small and medium enterprises are unable to do the same, given the high cost of these services.

Cyber breach: What Liberty says happened

Attackers got into a repository of data — largely emails and attachments — copied it and then demanded payment for it.

This is how financial services firm Liberty Holdings explained the breach of its information technology systems last Thursday. The company, which insures six million lives, administers 10 000 pension schemes and manages the savings of 500 000 people, saw a 5% drop in its share price in the wake of the news.

It only alerted customers to the attack two days later. But it says this was because specialist teams had to investigate the incident to verify the validity of the claim, and prioritise the protection of customer details and the security of the company’s IT systems. The relevant authorities also had to be alerted. “We believe we acted responsibly and made every effort to inform our customers once we were in a position to do so,” it said.

Why it took the hackers to alert Liberty to the breach has left customers baffled. Liberty said in response: “We live in a world of highly sophisticated criminals, whose methods evolve at an equal pace as the technology built to protect data from them.” This, it added, will become an “ongoing challenge” for all corporates.

The alleged hackers — revealed in a post by iAfrikan Digital founder Tefo Mohapi — claimed to have 40 terabytes of information.

Liberty is still trying to identify the full extent of the data that was stolen, it said, and investigations were ongoing. As a result, it could not indicate how old the emails and attachments were that were supposedly taken, or the amount of money the attackers asked for.

The company said it would “pro-actively advise” customers individually if and when it discovered they may have been affected.