The Information Regulator says it has requested an urgent meeting with Liberty Holdings to get an understanding of how its data was breached by hackers at the weekend.
In a statement issued by the Chairperson, Advocate Pansy Tlakula, on Monday, the regular said it had written to Chief Executive Officer of Liberty Holdings David Munro to find out how the breach occurred; the extent and materiality of the data breach as well as to the interim measures put in place by Liberty to prevent any further compromises.
In addition to this, the regular wants to know what measures have been taken to inform affected data subjects of the breach to allow them to take proactive measures against the potential consequences of the compromise.
On Sunday, the insurer announced that an external party had claimed to have seized data from the firm and demanded a ransom. However, the insurer said it made no concessions to the hackers and there was no evidence that its customers have suffered any financial loss.
Liberty assured customers that they will proactively inform them individually if and when they discover they may be impacted.
Although not all the provisions of the Protection of Personal Information (POPI) Act have come into effect, the regulator has consistently encouraged private and public bodies to proactively comply with the Act.
Section 19 of the Act requires responsible parties to put in place measures to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent either loss of, damage to or unauthorised destruction of personal information or unlawful access to or processing of personal information.
South Africa has experienced a disturbingly high number of material data breaches in the past few months. In addition to Liberty Holdings, there have been material data breaches at Master Deeds, Facebook and ViewFine.
Without a fully functional Information Regulator, Tlakula said, these breaches will continue to occur without sanctions provided for in the POPI Act.
These data breaches underscore the urgent establishment of the regulator, said Tlakula.
“It is for this reason that the Information Regulator requests the powers that be to assist it in fast-tracking its operationalisation.”