Liberty crack: what experts make of it all
KEY: THERE WASN’T MINIMUM SECURITY IN PLACE
Attackers were able to access, move around and remove data without even an alarm or alert to company.
People are still reeling at the news of cyber breach at Liberty – the biggest corporate notification of a major information breach that we have seen in South Africa and a relatively new territory for many.
I have seen and heard many people talk about how good the response has been because Liberty has notified their policyholders. There were SMS notifications, follow ups and a public press conference by the chief executive. A fine example indeed.
Is this a fine example of being a good corporate citizen, or a case of complying with the General Data Protection Regulation (GDPR)?
Let’s look at the facts as we have them and specifically the action timeline with Liberty Holdings Limited:
The breach was noticed on June 14 when they were informed by the attackers.
GDPR has a requirement that you must notify people within 72 hours of a data breach. The SMSs were sent out to clients on June 16 and the press briefing held on June 17 – just inside the 72-hour window.
This raises a question for me: If it wasn’t for the GDPR, would Liberty clients have known their data was now out in the wild?
Think about this information for a moment. We have all dealt with financial services companies such as Liberty before. We have sent correspondence to them on their email systems. Their service providers use email to send test results. So, this clearly unprotected information source has information on medical histories, diagnosis information, blood tests, identity numbers, bank details and financial information – it contains people’s entire lives.
Liberty chief executive David Munro confirms that they were alerted late on June 14 about the breach – the hackers made contact with them. I find this reaction untenable on several levels.
Firstly, the fact that this is a data store containing intimate client information but Liberty had no idea that they had been infiltrated until they were informed by the criminals who performed the hack and were now seeking to extort money.
Secondly, there is no possible excuse for a modern organisation not to identify unauthorised and anomalous activity across its systems, people or networks. The fact that there is anything between 20 and 40 terabytes of information that has been lost, does not mean that this was an accident.
The attackers were able to access, move around and remove the data without even an alarm or alert to Liberty. Further, it was said that only after it was alerted, did they remediate system vulnerabilities.
This could be another part of the problem. Senior executives need to understand that this is not simply an IT issue – this is a security issue. Security is not IT and very importantly, IT is not security.
I am not convinced that Liberty is in control, I do not believe that they had the minimum security in place before the attack became public and I do not believe that they have remediated the issues since the breach.
If an attacker has access to user credentials, they have access to everything.
Monitoring for changes in behaviour or strange login activity is the only defence. This way, you do not need an attacker to tell you there is a problem – you are alerted to it in advance and can remediate it before the damage takes place.
When running a simple search through the breach database, it shows me that there are in excess of 6 800 corporate credentials already out on the dark web for www.liberty.co.za – the last detection came from a source on June 19. A week after the breach was contained?
John Mc Loughlin is managing director of cyber security specialist, J2 Software