Data privacy enforcer the Information Regulator (InfoReg) has slapped SA’s biggest data breach culprit TransUnion with an enforcement notice.
The InfoReg made this announcement at a media briefing earlier today, detailing the outcomes of investigated cases and new matters being investigated in regards to the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act.
In 2022, ITWeb broke the news about the TransUnion hack, when N4ughtySecTU demanded $15 million (R223 million) ransom over four terabytes of compromised data.
After the hack, the group claimed it had accessed several million personal records of South Africans, including the personal details of president Cyril Ramaphosa.
TransUnion joins other organisations to be issued with an enforcement notice, including Dis-Chem, the South African Police Service (SAPS) and the Department of Justice and Constitutional Development. The latter was fined R5 million for not complying with one of the conditions in the enforcement notices.
At the media briefing, InfoReg chairperson advocate Pansy Tlakula revealed the regulator received 982 complaints during the 2023/2024 financial year, with 14 responsible parties assessed. Of these, she said, 682 complaints were resolved and 10 assessments were completed and ready to be issued with enforcement notices.
In the case of TransUnion, the regulator says its assessment found, among others, the company breached the conditions for the lawful processing of personal information.
It reveals it did this by:
- Failing to secure the confidentiality of the personal information in its possession or under its control.
- Failing to take appropriate technical and organisational measures to ensure access control is implemented as directed by its own policy and also not having controls to detect this failure.
- Failing to prevent unlawful access to, or processing of personal information that enabled unauthorised actors to gain unlawful access through the use of compromised credentials and use of a weak password.
- Failing to implement the safeguards that had been put in place in the form of access management policies and user creation policies.
- Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity and availability of its information processing environment as they relate to:
- User creation – which meant there was a user created outside of approved user creation processes.
- Password complexity – which meant the disregard for the password requirements as set out in its access control policy.
Resultantly, the credit bureau has been ordered to:
- Develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control to prevent loss of, or damage to, unauthorised destruction or unlawful access to, personal information.
- Obtain the services of a qualified auditor/audit firm that will perform an audit on all user accounts against the SFTP under creation policy to determine if the configuration of any further user accounts fall outside the prescripts of the policy.
- Conduct a personal information impact assessment to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of information.
The regulator has given TransUnion until 26 May to submit proof to it that all the remedial measures in the enforcement notice have been implemented.
Tlakula noted that TransUnion has been given time (60 days) to comply with the notice and only if it doesn't comply will the regulator move towards the next steps, which are to issue an infringement notice. “For now, it’s a wait and see what will happen.”
An organisation that receives an infringement notice has options available to it – the company can pay the fine, or make a payment arrangement with the regulator to pay the fine in instalments, or choose to take the matter to court.
Responding to the enforcement notice, TransUnion says: “The South African Information Regulator has concluded its assessment of the cyber incident of March 2022, which involved an isolated TransUnion South Africa server.
“Immediately after the incident, we implemented a number of improvements following a review we commissioned by a world-leading independent forensics and security firm. We are now implementing the regulator’s additional recommendations and welcome the conclusion of the matter.”
More matters
The Information Regulator, headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans in terms of POPIA.
Under POPIA, organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third-parties without their approval.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal prosecution and potential reputation loss. Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
Providing an update on the matter between the SAPS and the Krugersdorp sexual assault victims, Tlakula said the police service was issued with an enforcement notice following a leak of the personal information of the victims.
The police service, according to the regulator, complied with the enforcement notice, resulting in the matter being closed.
In the case of Dis-Chem, which was issued with an enforcement notice in September last year, the regulator said it was satisfied that the pharmacy retail giant is compliant with the recommendations contained in the notice. As a result, the regulator has closed its file on Dis-Chem.
New matters are being investigated under POPIA, Tlakula revealed. These include the Independent Electoral Commission, another matter involving the SAPS wherein personal information was released via WhatsApp, and the Companies and Intellectual Property Commission.
Share