David Munro: Liberty decided not to accede to hackers’ demands Freddy Mavunda
David Munro: Liberty decided not to accede to hackers’ demands Freddy Mavunda

Millions of South Africans woke up on Sunday not to the afterglow of another stunning come-from-behind victory by the revitalised Springboks but to the news that their personal data may have been hacked — again.

Liberty Life sent out text messages to its customers early on Sunday warning them that it had "been subjected to unauthorised access to its IT infrastructure, by an external party".

That Liberty took two days to inform its customers of the breach suggests it doesn’t have a strong-enough focus on its IT systems — which might not have been secure enough, commentators say.

"Nobody [at Liberty] takes IT seriously and then this is what happens," a senior IT executive with more than a decade of experience working with Standard Bank tells the FM on condition of anonymity. Liberty is 53.6%-owned by Standard Bank.

Revelations of Liberty’s hack smacked its share price too. It fell 4.7% in the two days afterwards, wiping R1.68bn off the firm’s R34bn market value.

Liberty Life CEO David Munro told a press conference on Sunday that an "e-mail repository" had been compromised and the hackers, who weren’t identified, had asked for a ransom. Liberty refused to pay it and called in IT and forensic experts to counter the breach.

The exact nature of the hack hasn’t been clarified by Liberty, which stressed no financial losses had been detected yet.

Munro told the FM: "We can confirm that we have been asked for a ransom but can’t comment on the amount until the investigation has run its course.

"Liberty did engage with the external parties involved to determine their intentions, and has decided not to accede to their demands."

This hack follows last month’s so-called ViewFines data breach when an estimated 1m South Africans’ details were exposed. ViewFines.co.za allows people to pay their traffic fines online. The website has since been taken offline.

This breach was uncovered by renowned global security researcher Troy Hunt, who created Haveibeenpwned.com, that lets people know if their e-mails have been compromised. He also alerted the country to the Master Deeds leak last year, where an estimated 60m personal details were posted online in an unsecured database by property company Jigsaw Holdings, whose subsidiaries include Aida‚ ERA and Realty-1.

The Liberty hack is significant because it’s "the biggest breach yet of a financial services corporation in SA," says Arthur Goldstuck, MD of World Wide Worx.

"It is also a rare example of hackers attempting to extort a ransom from a major corporation without the use of ransomware."

Ransomware burst into the mainstream last May when it was used to freeze operations at courier giant FedEx, Spain’s largest telecommunications company Telefónica, Britain’s national health-care service, French car maker Renault and Russia’s interior ministry.

In the Liberty hack, it has been speculated that the hackers targeted the "e-mail repository" because it might be less heavily secured than other IT systems (see Pattern Recognition).

"E-mail appears to be a weak link because it is typically not encrypted," says Goldstuck. "However, the real weak link is the human being. The easiest form of hacking is what is called social engineering, which is the use of trickery to get information from employees. Aside from that, individuals responsible for systems security are sometimes not sufficiently trained or resourced to do their jobs properly."

He adds: "When information security is not regarded as an executive or board issue, one often sees corners cut and budgets restricted. So there may well be system deficiencies, but they are a result of management or human deficiencies."

Munro would not confirm details about this server and whether the data was encrypted. "We can’t verify that at this point until the full extent of the breach is understood," he said. "Once the investigation is complete and we know more about the extent of the breach, we will be able to shed more light on this."

The Protection of Personal Information Act (Popia) 4 of 2013 contains legal sanctions for firms that are found to not have proper security and not have sufficiently safeguarded their customers’ personal data. But Popia hasn’t yet been properly enacted.

World Wide Worx did research two years ago which found that "half of IT decision makers in SA corporations believed their organisations were vulnerable to a cyberattack," Goldstuck says.

"One in 10 would not know they’d been breached for the first 24 hours and another one in 10 only after 12 hours. A quarter would know within the hour," he says of the research done with networking giant VMware.