Liberty Life says no customers appear to have suffered financial loss, but cyber criminals are demanding a ransom from the company or threatening to release confidential client information.
Tlakula says the Information Regulator has requested that Liberty provide more information.
“We want to understand the cause and the circumstances of this leak, because we cannot simply base our information on what we have heard in the media. We have to go to the source and ask them the cause and circumstances. How many people were affected by this data breech? What interim measures have they taken to ensure that there is no further compromise? But more importantly to understand how their security measures work. Because the Act is very clear that they have to put security measures in place for the personal information of their customers.”
Over the weekend Liberty Life was hit by a data breach resulting in hackers attacking their computers and demanding cash. Liberty management said no customers appear to have suffered financial loss from the incidents.
Tlakula says although no punitive action can be taken against companies without adequate cyber security immediately, new regulations will be put in place to hold them responsible for not having the appropriate security procedures.
“We have very wide investigative powers that have given us the power to issue warrants. We can refer a matter after we have investigated to what is referred to as an enforcement committee and it is important to note that non-compliance with the act can lead to criminal sanctions, civil damages and a fine of R10 million. So it is serious.”
Liberty says it refused to pay the ransom demanded by the hackers. Andrew Chester, the managing director of Ukuvuma Cyber Security, says this is disturbing.
“Liberty could have easily noticed unusual activity especially with regards to exfiltrating any data, through monitoring solutions and standard practices that are in the security industry. It should be extremely difficult to access that kind of data as the data itself should be encrypted.”