GDPR / PoPI data privacy security breaches

The Liberty hack could be the first South African incident subject to the General Protection Regulation (GDPR) since its inception on 25 May.

So says Andrew Chester, MD of Ukuvuma Cyber , who points out that the GDPR, which Liberty has to conform to because of its European stakeholders, states that companies must send out breach notifications to their clients.

In a statement issued yesterday, Liberty, a financial  company, said it regrets to confirm that it has been subject to illegal and unauthorised access to its IT infrastructure. It noted that an external party illegally obtained data from Liberty and demanded payment.

“Liberty was alerted of the intrusion into its network late on the evening of 14 June. Liberty specialist teams immediately began investigating the incident, prioritising the protection of customer details and of the security of the company’s IT systems. The relevant authorities were also alerted. As soon as Liberty was able, customers were informed via e-mails, SMSes and via a media statement on the afternoon of 16 June,” it said.

It is concerning that the security breach was only detected when the perpetrators informed Liberty and demanded a ransom, i.e. its own internal systems did not detect the breach and it’s not known for how long the perpetrators were already at it.

In SA the PoPI Act is not yet in force, but businesses should beware – data security breaches will occur here and it’s always a costly affair.

Read the full article here.