InfoReg in dark about WCape parly’s cyber incident

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba
Johannesburg, 09 Jun 2023

Despite informing law enforcement agencies about its cyber attack and subsequent data leak, the Western Cape Provincial Parliament (WCPP) failed to bring the matter to the attention of the Information Regulator.

This week, the WCPP said it feared a data leak may have compromised some or all of its data, following last month’s cyber attack.

The provincial legislature said despite making progress restoring its ICT infrastructure, forensic auditors advised that a worst-case-scenario assumption should be adopted in respect of whether its data has been compromised by the cyber attack.

It said the matter has been reported to the South African Police Service and State Security Agency. Additionally, it advised its stakeholders − including participants in WCPP events, media representatives, members of the Cape Town consular corps, job applicants and service providers − to exercise vigilance in respect of their personal information.

However, it seems SA’s Information Regulator has been left in the dark.

The personal information watchdog is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of the Protection of Personal Information Act (POPIA).

The Information Regulator tells ITWeb it reached out to the WCPP as soon as it became aware of the security compromise.

“The Western Cape Provincial Parliament did not inform us of the security compromises, as per the requirements of section 22 of POPIA.”

According to the info watchdog, it has subsequently requested extensive information from the provincial Parliament, and it has until 14 June to respond to the request.

Further steps to be taken will be determined once the extent of the security compromise has been established, which may include a POPIA Section 89 assessment, it states.

“All security compromises are subjected to a risk assessment. Any matters that have been rated as high risk are addressed on an urgent basis, often culminating in a Section 89 assessment in terms of POPIA.

“Lower risk matters are analysed for trends, such as sectors, organisations, incident types and frequency, which may lead to assessments in terms of Section 89 of POPIA, notwithstanding the low risk of the individual security compromises.”

South Africa’s data privacy legislation − POPIA − came into force on 1 July 2021, following a year-long grace period for organisations to comply with the Act.