Liberty chief executive David Munro speaks about a data breach that took place at Liberty on Thursday when they were hacked and client info was stolen. The brief took place at the company head office in Braamfontein JHB last night. 
Photo: Timothy Bernard/African News Agency (ANA)
JOHANNESBURG - IT experts have warned that more companies in South Africa could be hacked if they failed to prioritise secure erasure in preventing data losses.

The expects said companies needed to understand the impact of the EU’s General Data Protection Regulation (GDPR) law on South African business and how it aligned with the Protection of Personal Information Act 2013 (PoPI).

PoPI Act expert Dr Peter Tobin warned that there were serious implications for South African companies. “Any organisation in this country that deals with the data of any European resident is impacted by the GDPR.”

The warnings come in the wake of Liberty life this week disclosing that it had refused to pay money demanded by hackers who attacked its systems and extracted data.

The insurer said it dispatched a team of IT experts to investigate the breach of its systems on Thursday.

It said the hackers seized data, alerted the group to potential vulnerabilities and demanded payment.

Last year it emerged that more than half of the population’s identity numbers were leaked in one of South Africa’s worst data breaches, which affected about 30 million South Africans. 

A survey by also claimed that 90 percent of small and medium-sized enterprises (SMEs) globally were vulnerable to cyberattacks and other IT threats.

Financial advisory group GTC head of risk solutions Roy Wright said South African companies were still reluctant to insure against hacking despite suffering several cybercrime incidents in the past few years.

“This is largely due to the fact that many SMEs do not have their own dedicated risk management teams or systems, as is the case with many larger organisations,” Wright said. “These functions are often outsourced to third-party service providers. Risk management systems may therefore not be specifically designed for the business’s needs and subsequently not optimal for the organisation.” 

Wright said ransomware attacks had become particularly popular globally due to the rise of cryptocurrencies, which are untraceable and therefore largely irrecoverable.

He said the introduction of the GDPR and PoPI Act was likely to increase the demand for cyber-insurance given the increase in the cost of attacks, as this insurance field began to draw attention and gained traction, given the requirements of these pieces of legislation.

“The PoPI Act will be a significant game-changer in the way businesses think about cybercrime here in South Africa, as it will obligate companies to report and publish any data breaches when they occur. Coupled with this, organisations must release the strategies they have employed to rectify the breach, as well as all plans to mitigate against such risks in the future. Companies that fail to comply with these requirements, will be issued with fines, which will significantly impact SMEs.”

the cybercrime practice known as spear-phishing.

A recently released Symantec Internet Security Threat Report showed a sharp increase in spear-phishing last year(2017), which are targeted attempts at tricking individuals into revealing passwords and sensitive information or allowing criminals access to secure networks.

Santho Mohapeloa, Digital Distribution Specialist at SHA Specialist Underwriters, said the report also revealed that other types of attacks – such as those that exploit flaws in secure programs or fully-fledged hacking of a company’s secure networks – were falling out of favour with cybercriminals.

“Spear-phishing attacks usually appear in the form of an email from a familiar and reliable source, which an individual often conducts business with. The email is usually an outright request for personal details such as bank account numbers or login details, or it could contain a link that downloads malicious software onto the user’s computer. 

“In other cases, the correspondence could be disguised as a notice from a service provider informing the victim that their bank account details have changed. The aim could be to steal funds, gain access to confidential information, or even trick the employee into inadvertently downloading ransomware onto the company’s system,” he said.

Wright said, regardless of advances in risk management, cyber-crime would become more prevalent. “Hopefully the impending privacy legislation will be a wake-up call to companies to give due consideration to this enterprise risk.”