Liberty ‘won’t be fined’ for big data breach

Liberty's shares tumbled 4% yesterday as the insurer divulged little new detail of a data breach unlikely to result in a fine, even if it has fallen foul of information protection laws.

The breach is the latest blow to Liberty, whose earnings have gone backwards for the past two financial years.

Liberty told customers at the weekend that hackers had infiltrated e-mails and attachments and were demanding payment for the stolen information.

Liberty had refused the attempted extortion, it said.

Chief executive David Munro said on Sunday that Liberty was in full control of its IT environment.

“At this stage, there is no evidence that any customers have suffered any financial losses,” he said.

Liberty, which could not quantify what the attack would cost it, declined to comment on whether it had cyber insurance.

A full-time member of the Information Regulator, advocate Johannes Collen Weapond, said the regulator could not fine Liberty if it were found to have breached the Protection of Personal Information Act.

Not all sections of the Act were operative, so the regulator did not yet have these powers, he said.

The Information Regulator would meet Liberty to understand the extent of the breach and steps it was taking, Weapond said.
Santho Mohapeloa, digital distribution specialist at Santam subsidiary SHA Specialist Underwriters, said customers who could prove they had suffered damages because of a data breach at a business could institute civil action.

But Weapond said that given the number of data breaches that had occurred recently – including “Master Deeds”, Facebook and ViewFines – it could be difficult to prove which breach had caused a loss, unless a customer could prove that information had been shared only with a specific party.

Mohapeloa said that under the Act, companies were liable for losses of personal information under their control.

Computer forensics company Cyanre chief executive Danny Myburgh warned yesterday that while it was unclear what information was taken by the hackers, some details contained in the e-mails could be used to commit crime.

Commenting on any possible threat to Liberty’s customers‚ Myburgh said the extent of the risk to the customers depended on what information was stolen.

He said if there was customer contact information and where a person’s medical status was provided‚ there could be risks to the customer.

“Remember it is not only the communication between the insurer and the insured‚ but some medical information that was given by the customer to the insurer to determine the price of cover‚” he said.

There could also be customers’ banking details in that communication.

“This information can be used for identity theft purposes and to perpetrate crimes against that person,” Myburgh said.

“A person who obtains personal information about a customer could claim to be a service provider for future transactions.”

Liberty said the cyberattack had not spread to Stanlib‚ nor to its businesses outside South Africa. – Business Day, TimesLIVE