InfoReg demands answers from TransUnion, Experian on alleged hack

Admire Moyo
By Admire Moyo
Johannesburg, 30 Nov 2023
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator has given TransUnion and Experian 10 days to furnish it with details regarding allegations of a new data breach at the credit bureaus.

This, after last week notorious Brazilian hacker group N4ughtySecTU Group alleged it had again breached the organisations’ IT systems.

However, TransUnion and Experian denied their systems had been hacked, but acknowledged receiving ransom demands from the cyber criminals.

The information watchdog says the organisations have approached it to report the latest breach, in which the hackers demanded a $60 million (R1.1 billion) ransom.

The hackers threatened to leak the compromised data on the dark web if their demands were not met in 72 hours. However, they have not said anything since the deadline passed.

Says the regulator in a statement: “The Information Regulator is aware of recent allegations regarding the security compromises (data breaches) that have allegedly been suffered by the credit reporting agencies Experian and TransUnion.

“The regulator has received communication from the two credit reporting agencies regarding the alleged security compromises.”

According to the watchdog, the recent allegations were made as the regulator finalises its findings on the security compromise incident suffered by TransUnion in 2022.

The regulator says it cannot yet address the specifics of the recent allegations of a new security compromise on personal information held by Experian and TransUnion until the two credit reporting agencies have fulfilled their obligations under Section 22 of the Protection of Personal Information Act (POPIA).

This section of POPIA states that when a responsible party has suffered a security compromise, the public or private body must notify the regulator within a reasonable time.

According to the regulator, it has not received Section 22 reports, but has been notified of the latest hacking development.

Nothing new

The agencies have reported to the regulator that these are not new security compromises, but that the threat actors are making claims based on personal information leaked in incidences that occurred in 2020 and 2022.

For this reason, Experian and TransUnion say they have not submitted the Section 22 reports.

“Any allegations of a breach of security of personal information of data subjects are received with extreme seriousness and concern by the regulator,” says the InfoReg.

“These new allegations are no different. For this reason, the regulator has requested TransUnion and Experian to furnish the regulator with reports on investigations they have conducted, which led them to conclude that these are not new security compromises as the agencies are claiming.”

The regulator has directed that TransUnion and Experian provide it with the required information within 10 working days from receipt of a communique from the regulator, which was on 23 November.

ITWeb last year broke the news about the TransUnion hack, when N4ughtySecTU demanded $15 million (R223 million) ransom over four terabytes of compromised data.

After the hack, the group claimed it had accessed 54 million personal records of South Africans, including the personal details of president Cyril Ramaphosa.

Experian made headlines in August 2020, after it experienced a data breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a fraudster.

In March, the Experian data fraudster Karabo Phungula was sentenced to 15 years in prison by the Specialised Commercial Crimes Court.

The credit bureaus in both incidents have said they have not given in to the ransom demands from the hackers.

Payment dilemma

Warren Bonheim, MD of Zinia, an IT technology group and cyber security provider, says the rise in ransomware attacks has become an alarming trend, causing business leaders to grapple with a difficult question: should they negotiate with ransomware attackers and pay the demanded ransom?

He notes this dilemma poses many challenges, and businesses must weigh the potential consequences of their decisions.

“Many think that paying the ransom may be the quickest way to regain access to critical data and systems,” Bonheim says. “Particularly companies where downtime translates to substantial financial losses or even risks lives, such as in healthcare or emergency services.”

He argues that there is no guarantee the attackers will honour their end of the bargain and provide decryption keys, or release the stolen data even after the ransom is paid; after all they are not bound by any ethical code. Businesses may end up losing money without resolving the issue, he notes.

In effect, he adds, paying ransoms provides financial incentives to cyber criminals, encouraging them to continue their illegal activities. It fuels a vicious cycle in which attackers are emboldened to launch more attacks.

“Some believe that because stolen data may include sensitive information about customers or employees, paying the ransom can prevent the exposure of this data, mitigating the risk of lawsuits, regulatory fines and reputational damage.

“However, the real danger of this is that companies might become trapped in a cycle of paying ransoms instead of addressing the root causes of vulnerabilities and not invest in more robust cyber security measures,” says Bonheim.

The Information Regulator – headed by advocate Pansy Tlakula – is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.

Breaching the rules and regulations outlined by this Act can have serious implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.