A wakeup call
Liberty recently shared the news that its IT systems were targeted by hackers who had taken the company’s data and demanded payment.
Experts question security measures
Cyber security experts have questioned why the financial institution did not have appropriate security measures in place. Andrew Chester, Managing Director of Ukuvuma Cyber Security, for example, asked a few critical questions because he finds it alarming that hackers could extract data undetected.
“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted. When doing threat hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected. Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it was not, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he explains.
Chester says another point to consider is how the hackers gained access. “It most likely happened in one of two ways, it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person's permissions to get into the system. It is also quite alarming that that no one detected the breach until the hackers themselves informed Liberty,” he adds.
FAnews spoke to David Munro, CEO of Liberty, to get feedback on the steps the company is currently taking following the breach and what this means for them, their advisers and its clients.
“Our team of dedicated IT specialists and security personnel have devoted all their efforts around the clock to ensure that we live up to the duty of care to protect our clients and their details. We can confirm that we have secured our IT environment and are working towards rebuilding the trust invested in us by our clients over the last 61 years,” says Munro.
“We are on top of the situation and working hard to protect our clients' data. At this stage there is no evidence that any clients have suffered any financial losses. Liberty staff will proactively inform any clients individually if and when it is discovered that they may have been impacted. Our investigations are ongoing to ensure that we rectify the situation. We have sent direct communications to our clients and encouraged them to reach out to us should they have any queries and/or concerns. Additionally, we are working with the authorities and are at an advanced stage of the investigation. We will deal with the situation as we uncover information,” he said.
“Brokers can advise their clients to be vigilant in the protection of their data and can also alert them on the following: that Liberty will not send clients an email or link for them to change any of their passwords and that it is always good practice to ensure they select strong passwords and change them on a regular basis. They can also tell our clients that this incident is not unique to Liberty. It is something that will continue to be a challenge for all organisations in the evolution of the digital transformation. Liberty is doing all it can to prioritise the protection of adviser and client data,” emphasised Munro.
In a final message to FAnews readers Munro said, “As soon as we were made aware of this incident, we immediately identified and addressed specific vulnerabilities the Liberty IT infrastructure may have had, ensuring the integrity of our client data. We can confirm that we are in full control of our IT environment. To our clients, we totally understand the concerns they might have about the impact of this act of criminality and we are working hard to rectify the situation.”
The regulator, POPI and GDPR
“To date, this is one of the most worrying breaches to be reported in South Africa, especially given the size of this financial institution and the extent of personal information of which it is a custodian. In addition, this could be the first South African incident which is subject to General Data Protection Regulation (GDPR), since its inception on 25 May 2018, given its European stakeholders,” says Greg Harrup, Trainee Underwriter at Camargue Underwriting Managers.
“Pansy Tlakula, Chairwoman of the Information Regulator, has expressed her concerns regarding the breach, and has reportedly met with Liberty in this regard. Although the Protection of Personal Information Act (POPIA) has not been fully implemented as yet, it will be interesting to see how the Information Regulator will react to the Liberty breach, given that they do not have full powers to address data breaches, in the absence of POPIA implementation,” continues Harrup.
The extent of the crime
“This recent attack has shown that social engineered malware and data encrypting ransomware are the most common ways of attack. However, the source of an attack can only be determined after careful investigation,” says Santho Mohapeloa, Digital Distribution Specialist at SHA Specialist Underwriters.
“The extent of the breach or hack depends on the size of the company, nature and number of clients, and the nature of information/data held, stored or processed by the company. It is easier to quantify the loss in respect of the infrastructure, but it is a difficult task to quantify the extent of the loss in relation to future profits, goodwill of the business and the reputational harm caused by the breach,” continues Mohapeloa.
With data in the hands of hackers, this means an immediate increase in cost to the company. “This is spread across the monitoring of the IT platforms, implementation of adequate security, segregation of servers, public relations response and finally, shareholder value,” says Harrup.
“It is important to consider that Liberty Holdings is a substantial financial institution with a significant reach in terms of resources and personnel to assist in the day to day cyber infrastructure and security of their organisation. If an entity such as Liberty can be breached, however, the outlook for smaller organisations is much grimmer. As a result, entities need to proactively make use of the m-cubed principle: Manage, Mitigate and Migrate critical business risks,” concludes Harrup.
Unfortunately, cybercrime, like any other crime, is here to stay. Liberty’s cybercrime incident should be a wake-up call to many in the insurance industry of the potential risks that are out there. Don’t wait for law enforcement to come knocking at your door. As Harrup emphasised, with cybercrime being placed in the top three risks to be aware of globally, we should be asking how we can prevent such attacks and protect the assets we have been given custody over. This includes the information held for stakeholders. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts firstname.lastname@example.org.
This articles is published courtesy of FANews