Liberty claims that it is in control of its technology and data infrastructure after a massive data breach but the fact that hackers could extract data undetected is alarming. Cyber criminals are now claiming a ransom to not release the information of Liberty’s top clients and this news has sent panic alarms through the insurance and finance industries.

Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly?

Why was this sensitive data not encrypted?

When doing threat hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

Additionally, how did the hackers know where to find the data?

If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming. It most likely happened in one of two ways, it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person's permissions to get into the system.

"If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming."

This could have been avoided simply by applying general data security practices such as always encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems. It’s also quite alarming that that no-one detected the breach until the hackers themselves informed Liberty.

There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case Liberty only found out once the criminals had contacted them.

This could be the first South African incident subject to the General Data Protection Regulation (GDPR) since its inception on 25 May 2018. The GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.

How many big corporate data breaches are we unaware of that occurred before the implementation of GDPR?

As a Liberty client, I am very worried. Should client personal data leak onto the dark or public web, a lot of personal liability issues become a reality for Liberty. I think the unfortunate truth is that Liberty will be raked over the coals for this, and it could end up costing them millions in real and reputational damage.


Update

  • 18 June 2018 - A group claiming to be the alleged Liberty Group hackers have deleted the message they had posted online.

Liberty breach

  • 17 June 2018 - Alleged hackers of Liberty Group's IT infrastructure have made a public statement. They say they have 40TB worth of the companies hacked data and will be releasing samples daily. Link

  • 17 June 2018 - South Africa's Liberty Group's IT systems have been breached and David Munro, CEO, says they learned of the breach on Thursday, 14 June 2018. Link

  • 16 June 2018 - South Africa's Liberty Group has suffered a systems and data breach. Link

This is a developing story and we will update as new information is discovered and available.