Financial services group Liberty said on Sunday evening that it has made no concessions to extortion demands from unknown hackers after the firm’s IT systems came under attack and the personal information of its clients was compromised.
During a press briefing, Liberty Group CEO David Munro described the attempt by hackers to obtain sensitive data as a “criminal act”.
Although Munro did not disclose a great deal of information about the identity of the hackers, the amount demanded or the number of affected clients, he did say that emails formed the bulk of the data stolen.
“It [the compromised information] seems to be emails and attachments. There is no evidence that customers have suffered financial losses … All policies and contracts remain in force,” said Munro.
“We are in full control of our IT environment. We deeply regret this act of criminality.”
Munro said specific and sensitive details about the data breach could not be disclosed as a criminal investigation is pending.
He said Liberty was alerted about the data breach on Thursday evening and alerted the authorities. However, Liberty sent out an SMS to its clients only on Saturday evening, informing them of the breach of security and unauthorised access to its IT systems by unknown hackers.
Asked why the group informed its clients two days after the initial alert on Thursday, Munro said the data breach was “out of the blue” and that these matters are “difficult to understand.”
He continued: “We can’t prepare for this [kind of] event. It took us a couple of days to get to the point where we could inform clients and understand the implications of the extortion attempts.”
He said the data breach has been limited to the company’s insurance operations in South Africa, and that its money management arm Stanlib has not been affected.
The hackers informed Liberty of vulnerabilities in its systems and demanded payment from the company, failing which they would release sensitive information about the firm’s clients to the public.
“We did engage the external party [the hackers] and we made no concessions to the extortion,” said Munro.
Liberty said that since becoming aware of the security and data breach, it had taken immediate steps to secure its computer systems and had launched an investigation into the incident.
“We are on top of the situation and working hard to protect customers,” said Munro. “We have devoted all efforts to protect customers and [their] details. We have assembled a full team of technology specialists that specialise in incidents like this. No money has been spared.”
Data breaches are a rising threat across industries, and regulations over personal information have toughened up in recent years. Such regulation includes the Protection of Personal Information Act, which puts the onus on companies to store, protect and safely destroy personal information.
A recent report by Australian cybersecurity researcher Troy Hunt along with Tefo Mohapi from iAfrikan Digital revealed that the sensitive personal information of nearly one million (934 000) South Africans who pay their traffic fines online had been publicly leaked. This leak contained identity numbers‚ email addresses‚ full names and passwords.
A similar breach of personal information occurred in 2017 when the records of over 60 million South Africans were compromised.