Pan-African financial services company, Liberty, with a presence in 18 African countries offering asset management, investment, insurance and health products to over 3 million people has been hacked.
Liberty clients received notifications on Sunday morning from the company, explaining that its IT infrastructure had been subject to “unauthorised access”.
In a recent notice posted on Liberty’s website they notify their clients of the following:
- Our priority is, and remains, protecting our customers, financial advisers and staff.
- Liberty is the victim of criminal activity.
- There is no evidence that our customers have suffered any financial loss.
- We will proactively inform our customers individually if and when we discover they may have been impacted. No further action is required from our customers at this stage.
- And finally, we are in full control of our IT infrastructure.
Liberty has confirmed the attack and believes that emails and attachments were largely breached. Investigations are still underway; however, it’s believed that clients have not experienced any financial loss. Liberty does not mention the impact the breach may have on clients’ personal information. Being a financial services company, Liberty communicates and holds millions of clients’ sensitive and personally identifiable data including banking information and medical details.
“Liberty IT personnel are running around like headless chickens trying to figure out how much data was accessed, and they can’t explain to their bosses how they were hacked,” a source cited in Sunday Times said.
What we know about the breach
The breach occurred, on Thursday last week, when a party gained unauthorised access to Liberty’s IT Infrastructure due to its alleged weak security. Liberty only became aware of the breach when the hackers themselves informed them.
The party responsible for the hack is claiming to have seized sensitive data from Liberty and has threatened to expose the information if they fail to pay a ransom. Liberty has confirmed that they have made no concessions to the criminals and that they will not meet their ransom demands.
Liberty CEO, David Munro, said that criminals had hacked into an email server and removed messages and possibly attachments, but that there was no evidence that client data files where taken.
He explained that the hack had affected the core Liberty insurance business and not the group’s asset manager, Stanlib, or its other businesses outside of South Africa.
“We have been given a lesson that cybercrime will become more frequent as digital commerce develops,” Munro said.
Cybercrime is on the rise in South Africa
There has been a notable rise in cybercrime in South Africa in recent years and South African companies are increasingly falling victim to cybercrime. It’s fundamental that these businesses take cybersecurity more seriously and employ a secure, vigilant and robust approach to avoid such attacks and to protect their customers’ data.
From the information publicly available, it seems as though these criminals did not have to do very much to access Liberty’s systems and their clients’ data. Their systems weren’t secure and the data was not encrypted. The hack could have been avoided by encrypting the data, using segregation methods and having access control and monitoring systems in place. All of these are necessary security best practices and are commonplace. Liberty failed to have the most basic of security measures in place.
There is no excuse for this. It’s unacceptable that clients’ most confidential data is treated in this manner. Not only is this a breach of their data but also a breach of trust. Clients that become aware that companies have experienced a breach of their personal information often move their business elsewhere, thus ramifications of a data breach on the company are expansive and long-lasting.
Liberty is facing a potential fine for breaching the Protection of Personal Information Act.