It is a curious case that when a company falls prey to a hack, the first reaction is to blame it for becoming the victim.
If someone were to steal your car, people might say that it was unfortunate, or empathise with your. The criminal, however, would be blamed for committing the theft.
When a cyber attack is involved, though, a different standard seems to apply.
Liberty revealed in June 2018 that it was the target of an attack on its IT infrastructure. The hackers claimed to have taken data during the attack and threatened to release the data unless Liberty paid a ransom.
The CEO of Liberty, David Munro, later revealed that the attackers had got into Liberty’s network and accessed one of its servers.
Initial reactions were not that Liberty was the victim of a crime, but questioned its competence as a financial institution. Allegations that it was an inside job were also made.
This is a curious double standard, as consumers generally find it distasteful when banks and mobile network operators blame a client that was the victim of SIM-swap fraud.
When it comes to online banking fraud, their line is usually that the attacker would not have been able to get into a bank account if the client hadn’t compromised their login credentials.
The public is not impressed by this argument, especially when the fraudulent transactions were clearly suspicious.
Yet when the tables are turned, we’re quick to use the same line of argument – asking what Liberty did to allow the compromise.
This is despite knowing little about the security measures Liberty had in place.
Poor security practices
There have been many reports of outrageous negligence when it comes to information security in South Africa, and it has become natural to assume the worst of a company who has been hacked.
ISPs and other companies have stored people’s passwords in plain text, and government websites were launched and forgotten.
Our most infamous data leak – the Master Deeds leak – was the result of a database backup file being left on an unsecured web server.
Besides coming to expect poor security policies from organisations that get hacked, South Africans have also seen the people who report security flaws be treated like criminals.
This was especially the case with government websites.
When helpful IT professionals and “white hat” hackers discovered and reported security flaws in the E-toll and City of Johannesburg websites, they weren’t thanked – but threatened with legal action.
While SANRAL’s response to the disclosure of a vulnerability on the E-toll website ended at merely a threat, the City of Johannesburg laid a criminal case against the person who reported the data leakage.
Lack of sympathy for big companies
Perhaps the most prevalent reason for the lack of sympathy is that it is is difficult to feel sorry for a large company with ample money and resources at its disposal.
If us average users are ultimately liable when it comes to our own online security, then big corporates should be held responsible in a similar way.
However, while the above reasoning is understandable, it makes it no less a double standard.
It is fair to say that you must take responsibility for your own safety – you lock your door at home, lock your car, and guard your passwords – but there is nothing wrong with reminding people to stay safe.
Similarly, banks also accept a level of responsibility and are expected to implement systems beyond basic password checks to detect whether activity on an account is suspicious.
That said, banks and mobile networks can be empathetic to clients who were the victims of identity theft and online fraud, without accepting liability for the loss. The thief is the criminal, not the bank or the client.
As hypocritical as it is, though, companies like banks can’t expect the public response to attacks on them to change unless they stop victim shaming clients who have fallen prey to hackers.