The Information Regulator has slapped the Department of Justice and Constitutional Development (DoJ&CD) with a historic R5 million fine, for breaching the Protection of Personal Information Act (POPIA).
This is the first time a South African organisation has been fined under the country’s POPIA data privacy law.
In 2021, the department suffered a ransomware attack on its IT systems, leading to all its information systems being encrypted and unavailable to internal employees, as well as members of the public.
As a result of the attack, all electronic services provided by the department were affected, including the issuing of letters of authority, bail services, e-mail and the departmental website.
At least 1 200 files containing the names, banking details and contact details of those who had submitted personal information to the DoJ&CD were compromised during the ransomware attack.
The attack also spilled over to the office of the Information Regulator, disrupting the watchdog’s IT systems.
This resulted in the regulator’s website being unavailable for three days, while the e-mail system went offline.
The Information Regulator, which is overseen by the DoJ&CD, was established in December 2016, with the aim to, among others, monitor and enforce compliance by public and private bodies with the provisions of the Promotion of Access to Information Act and POPIA.
Justice minister Ronald Lamola has since said his department plans to invest a portion of its 2022/2023 budget to strengthen its cyber security, to avoid another cyber attack on its IT systems.
“We continuously strive to protect the department’s digital assets through continuous threat detection and monitoring, which includes the implementation of new security products, based on continuous security assessments,” Lamola said.
Yesterday, the information watchdog issued an infringement notice to the department, in which it ordered the DoJ&CD to pay an administrative fine of R5 million following its failure to comply with the enforcement notice issued by the regulator on 9 May 2023.
The regulator says it issued the enforcement notice following the finding of the contravention of various sections of POPIA by the DoJ&CD.
The enforcement notice had required the DoJ&CD to submit proof to the regulator within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence and the intrusion detection system licence have been renewed.
It also required the department to institute disciplinary proceedings against the official/s who failed to renew the licences, which are necessary to safeguard the department against security compromises.
The regulator indicated that should the DoJ&CD fail to abide by the enforcement notice within the stipulated timeframe, “it will be guilty of an offence, in terms of which the regulator may impose an administrative fine in the amount not exceeding R10 million, or liable upon conviction to a fine or to imprisonment of the responsible officials”.
POPIA sets down firm frameworks that organisations have to abide by to avoid fines, criminal persecution and potential reputation loss.
Perpetrators can face fines of up to R10 million or 10 years of imprisonment, depending on the seriousness of the breach.
According to the regulator, the 31 days given to the department expired on 9 June 2023.
“To date, the department has not provided the regulator with a report on implementation of the actions required in the enforcement notice, or any other communication in that regard,” it says.
“The DoJ&CD had the right to appeal the enforcement notice in terms of section 97(1) of POPIA, and they have failed to exercise that right. Given this lack of compliance with the enforcement notice, the regulator has made a determination that the department has failed to comply with the enforcement notice served to it in terms of POPIA.
“Accordingly, the regulator has issued an administrative fine of R5 million to the department for failure to comply with the enforcement notice.”
The watchdog notes the DoJ&CD has 30 days from 3 July 2023 to pay the administrative fine, or make arrangements with the regulator to pay the administrative fine in instalments, or elect to be tried in court on a charge of having committed the alleged offence referred to in terms of POPIA.
ITWeb attempted to call the department’s spokesperson Chrispin Phiri to request comment, but he had not responded by the time of publishing. We will update the story as soon as we get feedback.
Doubling data breaches
The administrative fine comes after the Information Regulator has often been criticised for failing to adequately punish POPIA transgressors.
This, as data breaches exposing the personal information of members of the public continue to rise in South Africa.
Last month, the Information Regulator told ITWeb that it has received 1 021 data breach notifications, to date.
The new figure is nearly double the 564 data breaches or security compromise notifications that advocate Pansy Tlakula, chairperson of the Information Regulator, indicated in February.
The CSIR estimates the impact of cyber crime on the South African economy to be at R2.2 billion per annum, amid the country’s worsening data security and privacy environment.
A number of organisations have reported suffering data breaches, including TransUnion, where hackers claimed to have accessed 54 million personal records of South Africans.
Systems integrator Dimension Data and its subsidiary Merchants in March acknowledged a “limited” breach experienced on their call management system platform that exposed client data.
First National Bank’s mobile app exposed personal information of customers applying for home loans using the digital platform. The exposed data included personal identifiable information, such as names, identity numbers and contact details.
Subsea cable operator Seacom last month confirmed a cyber attack, saying the incident impacted a small number of its customers.
In September 2021, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.
Meanwhile, in August 2020, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.