Information Regulator wants urgent meeting with Liberty on data breach

18 June 2018 - 20:00 By Nico Gous
Liberty Holdings CEO David Munro.
Liberty Holdings CEO David Munro.
Image: Freddy Mavunda

The Information Regulator has requested an urgent meeting with Liberty Holdings CEO David Munro to understand how its data was breached.

Information Regulator chairperson Advocate Pansy Tlakula also requested from Liberty the extent and contents of the data breach‚ what interim measures have been put in place to prevent further breaches and if those affected by the breach have been informed.

Munro said at a media briefing on Sunday evening there was no evidence of financial losses affecting customers.

Liberty first became aware of the cyber attack that possibly compromised customers’ data late on Thursday evening‚ two days before it informed customers on Saturday evening.

Munro said he could not reveal whether the breach might have been an inside job‚ what ransom the hackers had demanded‚ or how the company had communicated with these hackers.

It is not yet clear how much information was stolen and how many customers might be affected. Munro said the company believed the breach involved recent e-mails and attachments from Liberty’s insurance business in South Africa.

Tlakula said the Protection of Personal Information Act (POPIA) has only partly come into effect‚ but encouraged private and public bodies to comply with POPIA.

Section 19 of POPIA requires companies to ensure the personal information it possesses is secure.

“South Africa has experienced a disturbingly high number of material data breaches in the past few months‚” Tlakula said.

“Without a fully functional Information Regulator‚ these breaches will continue to occur without sanctions provided for in POPIA.

These data breaches underscore the urgent establishment of the Regulator.”

ViewFines‚ a website for viewing traffic fines‚ suffered a data breach in May. More than 934‚000 records containing 778‚000 unique email addresses were exposed‚ including names‚ phone numbers‚ government-issued identity numbers and passwords stored in plain text.

The leak did not affect all licensed drivers‚ but only those who had registered to pay traffic fines online using one or more of the sites that provided the service.

In April‚ there were reports of a data breach by Facebook where data was potentially shared with the data firm Cambridge Analytica. Among those affected were 59‚000 South African users.

The Information Regulator wrote to Facebook Ireland (which provides Facebook services outside of the US and Canada) to enquire about the alleged breach. Facebook Ireland said that the Information Commissioner Office (Ico) of the United Kingdom was investigating whether any of the data had been illegally acquired or used.

A larger data breach was uncovered in October 2017 when the private records of about 31.6-million South Africans were available for download. The breach‚ which had remained undetected for months‚ contained among other things their ID numbers‚ age‚ locations‚ marital status‚ occupations‚ estimated income‚ physical addresses and cellphone numbers.

X