DBSA becomes target of ransomware attack

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 13 Jun 2023

The Development Bank of Southern Africa (DBSA) has become the latest financial institution to suffer a ransomware attack.

In a statement issued yesterday, the DBSA says it was subjected to a ransomware attack by a malicious threat actor. The attack took place on or about 21 May, it adds.

The bank believes the threat actor to be Akira, a Russian ransomware group, based on preliminary investigations. However, the determination is not definitive as investigations are still ongoing, it states.

“Various servers, logfiles and documents were encrypted by Akira, who threatened to publish the encrypted information to the dark web in the event that their demands (that is − the payment of a sum of money) were not met.”

This ransomware attack comes amid security experts cautioning that SA’s geopolitical stance in theUkraine/Russia conflict has the potential to amplify the country’s cyber security risk.

Furthermore, SA is said to be the eighth most targeted country in the world for ransomware, with more than half of South African firms impacted by ransomware in the past year.

The 2023 state of ransomware report compiled by security company Sophos noted that 78% of South African organisations were hit by ransomware in the past year.

The DBSA says it has reasonable grounds to believe that personal information of stakeholders has been accessed or acquired by unauthorised persons on account of the cyber security incident.

Under the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third-parties without their approval.

Upon becoming aware of the ransomware incident, the DBSA states it conducted an investigation and determined that certain categories of stakeholders’ personal information may have been unlawfully accessed or acquired by the threat actor.

These include certain documents required to be collected by the DBSA under the Financial Intelligence Centre Act. This includes information relating to business name, the names of directors/shareholders, physical address; identification documents and national identification document numbers; contact details, including telephone and cellphone numbers and e-mail addresses; details of the commercial or employment relationship with the DBSA; and financial information pertaining to stakeholders.

“To the best of our knowledge, the personal information accessed as result of the incident was limited to the personal information. As our investigation into the incident is currently ongoing, it is not clear the full extent to which the personal information was compromised.

“The DBSA's initial view, therefore, is that the potential consequences of the incident to stakeholders may be limited. However, given the nature of the personal information, we believe malicious actors may attempt to impersonate stakeholders using the compromised personal information,” warns the bank.

“As a result, the DBSA encourages stakeholders to remain vigilant and alert to any evidence that their personal information is being used incorrectly, and take care to identify any unauthorised actions as they relate to your personal information.”

The bank notes various measures have been taken to address the incident, including the appointment of a forensic investigator; continued search on the dark web to determine if stakeholders’ personal information has been published; appointment of legal advisors to comply with POPIA; engaging law enforcement agencies and relevant regulators, including the Information Regulator; restoration of its information systems environment; and revoking all third-party access to its information systems.

“The responsible use of personal information is not negotiable at the DBSA and we regret that the incident has occurred. We are also undertaking a review of our technical and organisational controls, to minimise the risk of an incident of this nature from occurring in the future.

“In addition, we will continue to follow generally accepted industry practices to prevent the reoccurrence of similar incidents.”