After Email

Has Liberty got away with it? Back in June, an online group that claimed to have acquired a massive 40 terabytes of data from the financial services organisation’s email servers was threatening to leak what would be the largest trove of stolen South African customer data onto the internet.

There’s been little news on the exact contents of the data that was leaked, but the worry is the emails contain personal information about customers, which could be used for identity theft, or confidential information sent between staff that could be damaging for the company.

Group chief David Munro won respect for the way he handled the breach. Throughout the weekend and the next few days, he gave a series of interviews stressing that while data had been lost, there was no evidence of fraudulent account activity. He showed some transparency on the issue, although it’s worth noting that the group has been tight-lipped on details since.

Munro’s reaction was enough for the recently appointed information regulator Pansy Tlakula, who will be responsible for enforcing the Protection Of Personal Information Act (POPI) once it comes into effect. Tlakula said that she was satisfied with the way Liberty was dealing with the breach.

At the time of writing, it appears that the thieves haven’t released the stolen data into the public domain and what could have been – and might still be if the data does leak out – a complete disaster for the company, is already fading into memory.

Lessons to be learned 

We may never know what customer details were lost in the Liberty breach, but it should make every board wary about what data is passing through their email servers. It’s not uncommon, for example, for service providers – including insurance companies – to ask for personal data such as ID numbers, scans of ID books, proof of residence and banking details to be submitted via email.

The problem is that email is very hard to protect. Not only are individual accounts difficult to secure, but emails get forwarded and personal data contained in them could also be forwarded. It’s very hard for a business to even know what’s been stored in an email archive because data sent by email is hard to track. This is a concern because legislation such as POPI and the EU’s General Data Protection Regulation (GDPR) is designed to force businesses to take responsibility for personal data.

Chris Charlton is the MD of Consort Technical Underwriters, a firm that specialises in insurance policies for engineering companies. Consort is one of just a few organisations in South Africa that offers a cybersecurity policy designed to cover the costs of a data breach. Every client is different in the way that they apply security measures, he explains, so it’s essential that every client is thoroughly appraised before a policy can be drawn up.

“We’re used to doing this because as a technical underwriter we tend to risk assess everyone anyway,” Charlton says. “But the big bonus of having a policy is that you get access to the best experts in the field. That includes lawyers and cybersecurity guys who do regular audits for you.”

Consort’s policies cover third-party liabilities from a data breach and cover some of the other costs that might be involved, including PR resources to try and limit reputational damage.

One thing that Liberty will almost certainly have been worried about is the new GDPR regulations in Europe. These have been widely interpreted to cover personal data of European citizens regardless of where it is held in the world. Although Liberty has EU citizens on its books, IT lawyer Lucien Pierce – a director at PPM Attorneys – says that GDPR probably won’t apply in this case.

“Article 3 of GDPR is very precise about where you are processing the data and whether you are in the EU or targeting the EU,” Pierce says, “Liberty’s strategy and business model has been very Africa-focused, it hasn’t been marketing specifically to European residents, so I’d assume they are outside GDPR.”

Even so, Pierce warns, it’s best for all corporates to take stock of the personal data that may be lurking in their systems and think about policies such as what they routinely ask for over email.

“EU regulators are forming relationships with local authorities such as the South African information regulator,” Pierce says. “The intention is that they are able to take you on in your jurisdiction.”