Info Regulator reads riot act to TransUnion over hack

Read time 4min 10sec
The Information Regulator is headed by advocate Pansy Tlakula.
The Information Regulator is headed by advocate Pansy Tlakula.

The Information Regulator is unhappy with how embattled credit bureau TransUnion is handling the data breach it suffered, exposing about 54 million personal details to cyber criminals.

The enforcer of South Africa’s data privacy law − the Protection of Personal Information Act (POPIA) − on Tuesday met with the beleaguered credit bureau to get a clear understanding of how the hack transpired, as well as the ramifications.

This, after ITWeb broke the news last week that a hacker group, going by the name N4ughtysecTU, which claims to hail from Brazil, breached TransUnion and was demanding a $15 million (R224 million) ransom.

The group claimed the credit bureau was using the word “password” as its password.

The hacker group had given TransUnion until today to pay the ransom, or they would leak sensitive personal information retrieved from the company’s database.

TransUnion has said it will not pay the ransom.

Severe ramifications

In a statement today, the Information Regulator expressed “continued dissatisfaction with the security compromise notification submitted by TransUnion, following the instructions given to the credit bureau on 19 March 2022, when the regulator called on TransUnion to explain the circumstances of the security compromise it experienced”.

The Information Regulator – headed by advocate Pansy Tlakula – is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA.

Breaching the rules and regulations outlined by this Act can have serious implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

According to the regulator, the notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by POPIA.

“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.

“It omits critical information that provides assurance on how the matter is managed. The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis. This leaves the regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA,” the information watchdog says.

The regulator has now further directed TransUnion to provide it with a:

  • Detailed description of the possible consequences of the security compromise and its impact on data subjects.
  • Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.
  • Description of the measures TransUnion intends to take or has taken to address the security compromise.

The watchdog notes POPIA empowers the regulator to direct a responsible party to publicise in any manner specified any information whose publicity would protect a data subject who may be affected by a security compromise.

“To this extent, and after considering the nature of personal information that has been compromised, the regulator has directed that, over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise,” the regulator states.

Further investigation

Additionally, it says, following a careful assessment of the contents of the credit bureau’s security compromise notification, and the extent and severity of the security compromise, the regulator will conduct an assessment on its own initiative into the appropriateness of TransUnion's security measures on integrity and confidentiality of personal information of data subjects in its possession or under its control.

The regulator has subsequently written to the credit bureau and expects a response by 1 April.

The Information Regulator says it has expressed grave concern about the credit bureau’s approach to ensuring the affected data subjects’ personal information is protected and that there are no further malicious actions with it by unauthorised persons in possession of the information.

“The regulator has asked TransUnion to provide it with confirmation that a criminal case has been opened with the SAPS, in terms of the Cyber Crimes Act, Act No 19 of 2020. If no criminal case has been opened, the regulator has requested reasons for the delay in doing so,” it concludes.

See also