Late on the 16th of June 2018 (which also happened to be a public holiday in South Africa) I received a very concerning SMS from Liberty Life on my cell phone:
“Dear Valued Customer, Liberty regrets to inform you that it has been subjected to unauthorized access to its IT infrastructure, by an external party who requested compensation for it. Since becoming aware – we have taken immediate steps to secure our computer systems and are investigating the incident.”
First of all, kudos to Liberty (a South African Financial Services company) for being so up-front and informing their customers about the incident. I have written previously about companies that were not open when they got hacked, or even worse, did not even know what was going on!
Admittedly, it must be said that it took two days for them to take this step, but I suppose any organization would first assess the situation with the main priority to stop the leak of any further information.
Whoever was taking control of the Liberty situation must have been aware of the fact that it can do more harm to a company’s reputation when you try to hide a breach of this nature. Instead, they engaged with their customers from the beginning with many follow-up notifications over the next couple of days.
South African Cyber Attacks
Now, this was not the first time a South African company have been compromised. Two major leaks occurred recently – both reported by the Australian security expert and Microsoft MVP, Troy Hunt. The first was the last year’s Master Deeds leak where personal information of millions of South Africans were leaked by a property company, Jigsaw Holdings. And recently there was the breach of the online traffic fines site, ViewFines.
The difference between the Liberty hack, however, was the element of extortion. Apparently the hackers wanted “millions” from the company to avoid the release of “critical information” belonging to “top clients”.
After doing some investigation, it turned out that the person taking control of the Liberty situation was indeed their (new) CEO, Mr. David Munro. In an official response, the Sunday Times quoted Munro saying that “the data that was affected by the breach consisted largely of recent emails from the company’s mailing service. He said the company was in the process of investigating the breach, saying the findings of such an investigation would be referred to the authorities”.
Munro also said Liberty assembled a huge team of technology and security specialists with world class skills and experience in assisting organizations affected by such breaches.
Liberty has in the past also been involved in a ‘419’ scam. These scams are typically in the form of an email (or in this case a SMS) send to a recipient from someone pretending to be a legitimate entity making an offer that would result in the recipient willingly transfer money into the scammer’s bank account. (The ‘419’ refers to the section of the Nigerian Criminal Code dealing with fraud. The fact that these type of schemes are commonly associated with Nigeria is probably because many of them promise riches from some Nigerian prince!)
On 25 January 2018, Liberty posted the following on their website:
“Please do not respond to a fraudulent SMS that you may have received about a Liberty Quick Loan as this is not part of our product offering. Please delete the SMS and do not share your personal information.”
Was it possible that the same scammers responsible for the ‘419’ were also responsible for the extortion? Did they somehow managed to get enough inside information via the SMS-scam in order to pull off the hack?
Some commentators said the fact that Liberty took 2 days to inform their clients suggested that it did not have a strong-enough focus on its IT systems. In fact, a senior IT executive with more than a decade of experience working with Standard Bank anonymously said that “Nobody [at Liberty] takes IT seriously and then this is what happens”. (Liberty is 53.6%-owned by Standard Bank).
According to research done two years ago by World Wide Worx, they found that “half of IT decision makers in SA corporations believed their organizations were vulnerable to a cyberattack”. More alarmingly, VMware research also reports that 1 in 10 companies would not know that they have been breached within the first 24 hours.
Liberty communicated personally with all their clients throughout the initial crisis. Follow-up SMS’s were send on the 17th and 19th of June as well as on the 6th of July. Apart from keeping them informed about the criminal investigation, they also send messages regarding vigilance in terms of phishing, password strengths and so on.
But since then, information has not been so forthcoming.
Later, as I was looking at some news articles on Liberty’s website again, I came across a very prominent press release about the company announcing a new CEO. This new CEO turned out to be none other than Mr. Munro who was dealing with the hack.
Apparently Mr. Munro, previously a Non-executive Director, replaced Mr. Thabo Dloti who was leaving due to “a difference of opinion with the Board on the immediate focus of the company at a time when the organization is facing tough operational and environmental challenges.”
“Mr. Dloti believes that given this environment, alignment among key stakeholders is imperative to ensure the effective execution of the strategy required to drive the company forward. This alignment, coupled with the ability to act decisively, is in the best interests of the company and hence Mr. Dloti is stepping aside.”
It is not uncommon for CEO’s to willingly resign from their companies, but what really caught my attention was the date of the press release: 16 July 2018 – barely a month after the cyber-attack. So Liberty’s ‘new’ CEO was indeed very new and these events occurred during the transition period from Mr. Dloti to Mr. Munro.
Now, the purpose of this post is by no means intended to fuel any conspiracy theories, but it is very suspicious that the hack occurred at that specific time.
Was any of the two CEO’s logon credentials exposed during this period that allowed hackers to gain access to the mail system? For example, an IT employee receiving an email from the CEO might be obliged to respond if the email originates from within the company.
Or was it the work of some disgruntled employee that would lose some political influence (or income) with the resignation of Mr. Dloti?
Or was there more involved with the “difference of opinion with the Board” than anyone cared to admit?
Or did the hackers knew that the company could be vulnerable during this time?
Or was it simply a co-incidence that the events unfolded like it did?
In my previous post, I have written about the South African version of the GDPR called the Protection of Personal Information Act (POPIA). Although the act makes provision for legal sanctions against firms that are found not to have proper security in place to safeguard customers’ personal data, it is not always properly governed and implemented.
The Liberty data breach is still under criminal investigation.
In conclusion, the reason for writing this post was two-fold. Firstly: it is a given that these type of events will occur in the future and there is probably no company that can claim to be safe. Management problems and human deficiencies will always present loop-holes for hackers to exploit.
Secondly: How a company publically deals with the situation can say a lot about the managements and leadership within that company… and it might just determine how loyal their customers really are.