Shares in Johannesburg-headquartered Liberty fell 4% on 18 June as the fallout from a data breach continues to rock the financial services group.
Liberty sent a text message to its clients on 16 June informing them the firm had suffered “unauthorised access to its IT infrastructure”.
Local newspaper The Sunday Times further reported on 17 June that that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the information.
While Liberty has not given specific details relating the the data taken or the extortion amount, its chief executive David Munro confirmed in a statement on the Johannesburg Stock Exchange that “an external party has illegally obtained data from Liberty and demanded payment”.
According to the statement, Liberty is at an “advanced stage” of investigating the extent of the data breach, which seems to largely involve emails and related attachments.
“At this stage there is no evidence that any customers or the group have suffered any financial losses,” it says.
“Liberty staff will proactively inform any customers individually if and when it is discovered that they may have been impacted.”
Munro says Liberty has engaged the hackers to determine their intentions, but has made not concessions to the extortion.
Two days to inform clients
Liberty further confirmed in the statement that it was alerted of the intrusion into its network on 14 June and immediately alerted relevant authorities.
“As soon as Liberty was able, customers were informed via emails, SMSs [text message] and via a media statement on the afternoon of 16 June,” the statement says.
When questioned why it took two days to inform clients about the breach, South African news site Moneyweb reports Munro said it was because the hack was “out of the blue” and that the matter was “difficult to understand”.
“We can’t prepare for this [kind of] event. It took us a couple of days to get to the point where we could inform clients and understand the implications of the extortion attempts,” Munro said.
Stanlib not impacted
Further, he said the data taken was limited to the group’s South African insurance business, and its money management arm Stanlib was not affected.
According to Liberty’s website, it provides a range of insurance products, including life, medical and critical illness cover.
Regulator demands answers
South Africa’s information regulator called an urgent meeting with Munro on 19 June, demanding it be informed as to how the breach occurred.
It is understood the regulator has also asked for information on the extent of the breach.
However, Liberty is unlikely to face any fine by the regulator under the Protection and Personal Information Act as the section covering penalties is not operative under South African law yet.