Lib­erty misses the point on fi­nan­cial losses from e-mail hack

Sunday Times - - Money - Mark Heyink

The Lib­erty hack graph­i­cally il­lus­trates the grave dan­gers that South Africans are ex­posed to in their on­line lives. Lib­erty has stated the at­tack is con­fined to e-mails and there’s no ev­i­dence that cus­tomers have suf­fered fi­nan­cial losses, but this misses the point. There may have been no di­rect loss to cus­tomers in their fi­nan­cial deal­ings with Lib­erty, but what of the losses that may oc­cur be­cause crim­i­nals now have per­sonal and fi­nan­cial in­for­ma­tion that is use­ful in the per­pe­tra­tion of cy­ber­crimes against Lib­erty cus­tomers?

Re­cently there has been a spate of cy­ber­crimes where South Africans have re­sponded to e-mails that look iden­ti­cal to those that they’re used to re­ceiv­ing from fi­nan­cial in­sti­tu­tions or at­tor­neys. The cred­i­bil­ity of these e-mails is re­in­forced by the close cor­re­la­tion of the in­for­ma­tion and con­text of their deal­ings with these par­ties, which can only have been pos­si­ble if the crim­i­nals had ac­cess to the com­mu­ni­ca­tions with the cus­tomer. There are very mi­nor dif­fer­ences in the e-mail ad­dress and the false bank­ing de­tails used to dupe cus­tomers into pay­ing money into an ac­count con­trolled by crim­i­nals.

The typ­i­cal re­ac­tion of the fi­nan­cial in­sti­tu­tions is to dis­claim li­a­bil­ity on the ba­sis that the cus­tomer was neg­li­gent. They refuse to in­ves­ti­gate or give any de­tails of the in­ves­ti­ga­tion that may have been con­ducted re­lat­ing to their own in­for­ma­tion sys­tems. Cy­ber­se­cu­rity ex­perts tell us that this is disin­gen­u­ous; it is not the thou­sands of cus­tomers’ e-mail ac­counts that are hacked and mon­i­tored but the fi­nan­cial in­sti­tu­tions’ e-mail sys­tems that are com­pro­mised to gather in­for­ma­tion nec­es­sary to ini­ti­ate the at­tack.

While fi­nan­cial ser­vices providers claim that the se­cu­rity of their “fi­nan­cial sys­tems” is ad­e­quate, the in­ci­dence of cy­ber­crime stem­ming from poor in­for­ma­tion se­cu­rity is on the in­crease. The ombudsman for bank­ing ser­vices closed 1 377 com­plaints of in­ter­net bank­ing fraud in 2017 and this is un­doubt­edly the tip of the ice­berg. It is also a fact that com­pa­nies in the fi­nan­cial ser­vices sec­tor are ex­tremely coy in pro­vid­ing de­tails re­lat­ing to their se­cu­rity sys­tems and ex­pect to be trusted sim­ply be­cause of their fidu­ciary duty. They of­ten don’t do what is ex­pected or re­quired. In 2016 Stan­dard Bank clients were the sub­jects of a R300-mil­lion fraud. What ac­tu­ally hap­pened? No one has had the courage to tell clients.

The Lib­erty hack also il­lus­trates the mis­di­rec­tion that fi­nan­cial in­sti­tu­tions prop­a­gate. The em­pha­sis is that no fi­nan­cial loss has oc­curred and it was “only e-mails”. This does not take into ac­count that the fail­ure has led to the vi­o­la­tion of the con­sti­tu­tional right of pri­vacy that is sup­posed to be pro­tected by the Pro­tec­tion of Per­sonal In­for­ma­tion Act. Our per­sonal in­for­ma­tion is the raw ma­te­rial that crim­i­nals use to per­pe­trate cy­ber­crimes. Whether there is a loss is ir­rel­e­vant — the fail­ure to ad­e­quately pro­tect per­sonal in­for­ma­tion is a breach of this obli­ga­tion.

So who are the crim­i­nal’s pri­mary ac­com­plices? We are 30 years be­hind many other coun­tries in prop­erly ad­dress­ing the is­sue of data pro­tec­tion. The gov­ern­ment, in par­tic­u­lar the Depart­ment of Jus­tice, has failed to deal with this is­sue. Eigh­teen months af­ter its ap­point­ment, the In­for­ma­tion Reg­u­la­tor is not func­tion­ally op­er­a­tive, and the fund­ing ap­pro­pri­ated to the reg­u­la­tor is grossly de­fi­cient for the task.

Why is the bal­ance be­tween the rights of the state and the pri­vacy of ci­ti­zens ig­nored in the Cy­ber­crimes and Cy­ber­se­cu­rity Bill? It is sim­ply too gross an over­sight to ig­nore as the Depart­ment of Jus­tice has done.

What of the now dis­cred­ited State Se­cu­rity Agency, a pow­er­ful player in the se­cu­rity clus­ter of which the Depart­ment of Jus­tice is a close ally? It has failed in its duty to en­sure ad­e­quate se­cu­rity in state in­for­ma­tion sys­tems. The se­cu­rity stan­dard applicable to state in­sti­tu­tions is the Min­i­mum In­for­ma­tion Se­cu­rity Stan­dard. This was pub­lished in 1996 and was in­ad­e­quate in deal­ing with cy­ber­se­cu­rity at the time. While there has been an in­for­ma­tion rev­o­lu­tion in the en­su­ing 22 years, this has never been changed.

The min­is­ter of telecom­mu­ni­ca­tions and postal ser­vices (for­merly com­mu­ni­ca­tions) was re­quired by the Elec­tronic Com­mu­ni­ca­tions and Trans­ac­tions Act to within 24 months of the act be­ing en­acted (2002) to de­velop a three-year na­tional es­trat­egy and sub­mit it to cabi­net for ap­proval. This was never done.

The South African Po­lice Ser­vice is next to use­less in deal­ing with cy­ber­crime. The lack of suc­cess in in­ves­ti­gat­ing and pros­e­cut­ing these crimes is pro­found.

The fail­ures of gov­ern­ment have played into the hands of un­scrupu­lous busi­nesses that have plun­dered the in­for­ma­tion of South African ci­ti­zens, and failed to put ad­e­quate se­cu­rity mea­sures in place to pro­tect per­sonal in­for­ma­tion. They do so with­out fear of be­ing held ac­count­able.

The mon­u­men­tal ne­glect of the gov­ern­ment in ad­dress­ing the dan­gers that face ci­ti­zens in the 21st cen­tury has as­sisted and abet­ted cy­ber­crim­i­nals who are rob­bing South Africans. Who will be held ac­count­able? We can only guess — no one, as usual.

Heyink is an at­tor­ney spe­cial­is­ing in pri­vacy and in­for­ma­tion se­cu­rity law. He has served as a mem­ber of the Na­tional Cy­ber­se­cu­rity Ad­vi­sory Coun­cil and the South African Law Re­form Com­mis­sion that re­searched the need for pri­vacy law and pre­pared the ini­tial drafts of pro­tec­tion of per­sonal in­for­ma­tion leg­is­la­tion

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.