Liberty misses the point on financial losses from e-mail hack
The Liberty hack graphically illustrates the grave dangers that South Africans are exposed to in their online lives. Liberty has stated the attack is confined to e-mails and there’s no evidence that customers have suffered financial losses, but this misses the point. There may have been no direct loss to customers in their financial dealings with Liberty, but what of the losses that may occur because criminals now have personal and financial information that is useful in the perpetration of cybercrimes against Liberty customers?
Recently there has been a spate of cybercrimes where South Africans have responded to e-mails that look identical to those that they’re used to receiving from financial institutions or attorneys. The credibility of these e-mails is reinforced by the close correlation of the information and context of their dealings with these parties, which can only have been possible if the criminals had access to the communications with the customer. There are very minor differences in the e-mail address and the false banking details used to dupe customers into paying money into an account controlled by criminals.
The typical reaction of the financial institutions is to disclaim liability on the basis that the customer was negligent. They refuse to investigate or give any details of the investigation that may have been conducted relating to their own information systems. Cybersecurity experts tell us that this is disingenuous; it is not the thousands of customers’ e-mail accounts that are hacked and monitored but the financial institutions’ e-mail systems that are compromised to gather information necessary to initiate the attack.
While financial services providers claim that the security of their “financial systems” is adequate, the incidence of cybercrime stemming from poor information security is on the increase. The ombudsman for banking services closed 1 377 complaints of internet banking fraud in 2017 and this is undoubtedly the tip of the iceberg. It is also a fact that companies in the financial services sector are extremely coy in providing details relating to their security systems and expect to be trusted simply because of their fiduciary duty. They often don’t do what is expected or required. In 2016 Standard Bank clients were the subjects of a R300-million fraud. What actually happened? No one has had the courage to tell clients.
The Liberty hack also illustrates the misdirection that financial institutions propagate. The emphasis is that no financial loss has occurred and it was “only e-mails”. This does not take into account that the failure has led to the violation of the constitutional right of privacy that is supposed to be protected by the Protection of Personal Information Act. Our personal information is the raw material that criminals use to perpetrate cybercrimes. Whether there is a loss is irrelevant — the failure to adequately protect personal information is a breach of this obligation.
So who are the criminal’s primary accomplices? We are 30 years behind many other countries in properly addressing the issue of data protection. The government, in particular the Department of Justice, has failed to deal with this issue. Eighteen months after its appointment, the Information Regulator is not functionally operative, and the funding appropriated to the regulator is grossly deficient for the task.
Why is the balance between the rights of the state and the privacy of citizens ignored in the Cybercrimes and Cybersecurity Bill? It is simply too gross an oversight to ignore as the Department of Justice has done.
What of the now discredited State Security Agency, a powerful player in the security cluster of which the Department of Justice is a close ally? It has failed in its duty to ensure adequate security in state information systems. The security standard applicable to state institutions is the Minimum Information Security Standard. This was published in 1996 and was inadequate in dealing with cybersecurity at the time. While there has been an information revolution in the ensuing 22 years, this has never been changed.
The minister of telecommunications and postal services (formerly communications) was required by the Electronic Communications and Transactions Act to within 24 months of the act being enacted (2002) to develop a three-year national estrategy and submit it to cabinet for approval. This was never done.
The South African Police Service is next to useless in dealing with cybercrime. The lack of success in investigating and prosecuting these crimes is profound.
The failures of government have played into the hands of unscrupulous businesses that have plundered the information of South African citizens, and failed to put adequate security measures in place to protect personal information. They do so without fear of being held accountable.
The monumental neglect of the government in addressing the dangers that face citizens in the 21st century has assisted and abetted cybercriminals who are robbing South Africans. Who will be held accountable? We can only guess — no one, as usual.
Heyink is an attorney specialising in privacy and information security law. He has served as a member of the National Cybersecurity Advisory Council and the South African Law Reform Commission that researched the need for privacy law and prepared the initial drafts of protection of personal information legislation