Information regulator nails TransUnion for massive data breach in South Africa

 ·26 Mar 2024

The Information Regulator of South Africa has issued an enforcement notice to credit bureau TransUnion, giving the group until 26 May 2024 to implement remedial measures to address various failings found in a major 2022 data breach.

In March 2022, TransUnion, a registered credit bureau and a repository of credit information on consumers and businesses, submitted a section 22 notification indicating that it had suffered a security compromise.

In the breach, at least three million South Africans were impacted after TransUnion’s systems were compromised by a hacker group targeting what the company said was an “isolated server”.

A host of details were stolen, including names, ID numbers, contact details, vehicle finance data and other personal information.

At the time, TranUnion indicated that the breach did not take place through a systems hack or a ransomware attack. Instead, the systems were breached by the hacker group obtaining access to the TransUnion South Africa server through “misuse of an authorised client’s credentials”.

While TransUnion initially issued a statement confirming the breach had taken place, this was deemed an ‘inadequate response’ by the information regulator.

Following an investigation into the breach, the regulator found that TransUnion violated the conditions for the lawful processing of information by:

  • Failing to secure the confidentiality of personal information in its possession;
  • Failing to take appropriate technical and organisational measures to ensure access control is implemented and also not having controls to detect failures;
  • Failing to prevent unlawful access to or processing of personal information through the use of compromised credentials and use of a weak password;
  • Failing to implement safeguards that had been put in place; and
  • Failing to implement the provisions of its own information security policies.

Consequently, TransUnion has been hit with an enforcement notice from the regulator, where the company will now have to:

  • Develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control to prevent loss of, damage to, unauthorised destruction or unlawful access to, personal information.

  • Obtain the services of a qualified auditor/audit firm that will perform an audit on all user accounts against the SFTP user creation policy to determine if the configuration of any further user accounts falls outside the prescripts of the policy.

  • Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.

TransUnion has until 26 May 2024 to submit proof to the regulator that all the remedial measures in the Enforcement Notice have been implemented, it said.

Read: CIPC securing accounts after major hack – what you need to know

Show comments
Subscribe to our daily newsletter