The share price of Liberty Holdings fell by almost 5% on Monday, from R124 to R119.16, following the data breach announced by the financial services company on Thursday, with the hackers allegedly demanding a ransom in exchange for the data to be returned to the company and not leaked online.
Amid the panic that it caused, Liberty chief executive David Munro said that investments remained uncompromised and an investigation was under way.
“There’s been no financial loss on investments and none of our policy documentation has been compromised at all. Of course, there are wide ramifications when data is leaked. We’re going to have to make sure we do everything we can do address that,” Munro said at a press briefing on Sunday.
The group, which offers products ranging from asset management and insurance products to more than 3.2 million people across 18 countries in Africa, is the latest company to fall victim to a cyber breach.
In May, nearly one million South Africans had their data leaked via the online platform used to pay traffic fines.
In 2017 in what was believed to South Africa’s largest data breach, nearly 60 million South Africans fell prey to having sensitive information such as ID numbers and directorships leaked. The data was accessed from one of the country’s top real-estate firms, when a server linked to Realty1, Jigsaw Holdings, was hacked.
Movie house Ster-Kinekor was also exposed to a data breach earlier in 2017, when the data of 1.6 million customers was leaked.
On Thursday evening, Liberty was alerted to a breach by intruders who claimed that they had managed to infiltrate Liberty’s systems and extract the details of customers, including emails and attachments.
“Liberty was alerted of the intrusion into its network late on Thursday evening. Liberty specialist teams immediately began investigating the incident, prioritising the protection of customer details and of the security of the company’s IT systems. The relevant authorities were also alerted. As soon as Liberty was able, customers were informed via mails, SMSs and via a media statement on Saturday afternoon,” Liberty said in a statement.
Liberty said that it was in full control of its IT systems, and that its clients remained its full priority.
Despite the assurances given by Liberty, Andrew Chester, managing director of Ukuvuma Cyber Security, called for Liberty to be more transparent with regards to how exactly they were breached.
“As a Liberty client, I am very worried. Should client personal data leak on to the dark or public web, a lot of personal liability issues become a reality for Liberty,” Chester said. He added that it was also possible that the only reason Liberty informed its clients of the breach at all was due to the recently introduced General Data Protection Regulation, but that we wouldn't know until Liberty released more information to the public.
The regulation binds all members of the European Union to clearly disclose any data collection, and Liberty has to conform to the act because of its European stakeholders.
“It’s also quite alarming that no one detected the breach until the hackers themselves informed Liberty. There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case Liberty only found out once the criminals had contacted them,” he said.