Weekend Argus (Saturday Edition)
Regulator seeks meeting with Liberty over data hack
THE INFORMATION Regulator this week requested an urgent meeting with Liberty Holdings to get an understanding of how its datastorage system was breached by hackers recently.
According to SANews, the government news agency, the chairperson of the regulator, Advocate Pansy Tlakula, said on Monday that the regulator had written to the chief executive of Liberty Holdings, David Munro, to find out how the breach occurred, the extent of the breach, the interim measures put in place to prevent further compromises, and measures taken to inform affected customers.
Last weekend, Liberty announced that hackers had claimed to have seized data from the assurer and demanded a ransom. However, Liberty said it made no concessions to the hackers, and there was no evidence that its customers had suffered any financial loss.
Liberty said it will inform customers individually if it discovers they might have been affected.
Although not all the provisions of the Protection of Personal Information Act have come into effect, the regulator has encouraged organisations to comply with the Act. Section 19 requires responsible parties to put in place measures to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information, or unlawful access to or processing of personal information.
Matt Boddy, a security specialist at IT security firm Sophos, says: “Cybercriminals claim to have broken into Liberty, stolen some data, and for a suitable blackmail payment will keep it secret. If not, they’ll leak it to the world.
“Liberty has refused to pay, and good on them – after all, there’s no guarantee that the crooks wouldn’t leak the data anyway, or sell it to other crooks, or come back with bigger demands next month. In fact, now that the crooks have this data, what if they get hacked and the data is stolen by someone else? The payfor-silence game could go on forever.
“This isn’t like a ransomware attack, where crooks demand money to get your computer system running again. In an extortion attack of the sort against Liberty, you’re ‘paying for a negative’, essentially trusting the crooks for evermore.”
Boddy says that if you’re a Liberty customer, watch out for news from the company about the breach, keep an eye on your statements, and be vigilant about e-mails, phone calls and text messages that offer to ‘help you recover’ from this incident.
“These messages could come from anyone,” he says. “Look up the contact details yourself, for example, on an old statement, or use a search engine.”