Liberty hack attack: 'South Africans should be terrified'
Experts say SA is woefully under-prepared for cyber attacks, and this is just the beginning
South Africa is woefully under-prepared for cyber attacks, with “completely ineffective” laws governing how personal information is protected.
The theft of thousands of Liberty investors’ financial details, and warnings posted by hackers behind last week’s Liberty Holdings hack, point to the dire situation, say cybercrime investigators.
On Monday an anonymous post was made to the website Pastbin by those claiming to be behind the hack.
The post, titled Liberty Holding Breach – Stage 1, revealed that 40 terabytes of data had allegedly been stolen in the hack.If true, say cybercrimes experts, it will be the country’s biggest hack.
The post, which is written out in six points, reads: “Hello world, Welcome to Stage 1 of ‘Liberty Holdings’ breach, now it’s time to show some interesting data.”
Listing a website, the writer states that they had given a sample of what they had taken to Liberty management as proof for sensitive data.“We are still holding 40TB that will be published as few (sic) parts, every day. Database files include customers’ data, finance data, few full email backup of their directors and more interesting data.
“Liberty customers have not suffered financial losses due to cyber attack – for only one reason, we did not do that for harming your customers, our goal was to improve your security. you made your choice to, time to pay!”
The Johannesburg Stock Exchange-listed firm’s share prices have fallen nearly five percent since news of the hack was made public.
Cyber crime expert Jacques van Heerden said South Africans “should be terrified”.
He said what had been learnt about the Liberty hack so far was that it was the company’s mail server that had been breached.
“It’s not only e-mails which have been stolen, but the attachments as well, which include policy documents, which contain customers' sensitive financial information.”He said if dumped onto the Internet, the data could be used by criminals to open fraudulent accounts without those whose names the accounts are opened in ever knowing.
“We have not even begun to feel the impact of this. The true impact will only be felt much later.” He said the post on Pastebin had indicated that another dump was coming.
“If hackers want to ruin a company’s reputation they dump stolen data there. We are now just waiting. The dump that’s coming will determine whether it is really just one of Liberty’s systems that have been attacked or others.”
Van Heerden warned that the attacks were increasing and becoming far more sophisticated.
“Five years ago we were getting reports of one or two serious breaches a year; now it’s at least two a month. Big corporations and their directors and boards, who are meant to protect people’s personal information, need to catch a wake-up and realise the grave danger we face.
“The amount of data stolen from Liberty is massive. It points to IT system monitoring not being done properly. To steal this amount requires months of clandestine behind-the-scenes infiltration into systems to find the data you are looking for. You don’t do this kind of hack in a day.”He said one way cyber security systems could be improved at corporations that held customers’ personal information, was if there were criminal or financial liability against the business’s directors.
“Then they will realise they need to improve and continuously monitor their company’s IT systems.
“At the moment we have the Protection of Personal Information Act, but its regulator has no powers. The regulator has been left toothless, when it should be able to swiftly deal with company management who are negligent in protecting their customers’ information.”
Danny Myburgh of Cyanre, the Digital Forensics Lab, said the Liberty attack “was off the scale”.
“It would have required a highly sophisticated syndicate. It shows syndicates are scaling up and evolving their operations, which we as a country are completely unprepared for.Cyber security expert Tunde Ogunkoya said it would take years for the true the extent of the Liberty attack to be known.
“Such an attack is not just a breach of the e-mail system. The sophistication of these attackers mean other systems will also have been breached.
“Banks, corporations and their managers owe the public proper explanations. That’s what POPI is about. Under the act you don't just say there has been a breach, you have to tell people how the breach happened."
“Unfortunately POPI is not a final law yet.”
Consumer protection lawyer Janusz Luterek said the sections of the POPI Act that needed to give the regulator teeth in terms of bringing about prosecutions were lacking.
“While it’s impossible to prevent everything, if POPI was fully implemented, then situations like this Liberty attack could potentially be dealt with effectively with people held to account.
“With POPI in its current state the public is severely affected. The system has failed them [the public] for what has not been put in place.”