Picture: ISTOCK
Picture: ISTOCK

Liberty’s share tumbled 4% on Monday as the insurer divulged little new detail of a data breach unlikely to result in a fine, even if the company has fallen foul of information-protection laws.

The breach is the latest blow for Liberty, whose earnings have gone backwards for the past two financial years.

Liberty told customers at the weekend hackers had infiltrated e-mails and attachments and were demanding payment for the stolen data. Liberty had refused the "attempted extortion", it said.

Liberty was in full control of its IT environment, CEO David Munro said on Sunday. "At this stage there is no evidence that any customers have suffered any financial losses," he said.

Liberty, which could not quantify what the attack would cost it, declined to comment on whether it had cyber insurance.

The Information Regulator could not fine Liberty were it found to have breached the Protection of Personal Information Act, said full-time member of the regulator, advocate Johannes Collen Weapond. Not all sections of the act were operative and so the regulator did not yet have these powers, he said.

The information regulator would meet Liberty to understand the extent of the breach and steps it was taking, Weapond told Business Day.

Customers who could prove they had suffered damages because of a data breach at a business could institute civil action, said Santho Mohapeloa, digital distribution specialist at SHA Specialist Underwriters, a Santam subsidiary.

But given the number of data breaches that had occurred recently, including "Master Deeds", Facebook and ViewFines, it could be difficult to prove which breach had caused a loss, unless a customer could prove that information had been shared only with a specific company, said Weapond.

Under the act companies were liable for losses of personal information under their control, Mohapeloa said.