South Africa’s Information Regulator says it is dissatisfied with the actions of TransUnion after the credit reporting agency fell victim to a hacking group – compromising the personal data of South African citizens.
TransUnion was compromised by the hacker group ‘N4aughtysecTU’ which demanded a $15 million (R225 million) ransom over four terabytes of compromised data. The hacker group claims the information in its possession contains everything from credit scores to banking details and ID numbers.
TransUnion South Africa issued a statement confirming that a criminal third-party obtained access to an isolated South African server, through misuse of an authorised client’s credentials.
However, the regulator said the notification submitted by TransUnion is ‘inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA)’.
“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.
“It omits critical information that provides assurance on how the matter is managed. The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis.
“This leaves the Regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA.”
The regulator has now further directed TransUnion to provide it with:
- A detailed description of the possible consequences of the security compromise and its impact on data subjects;
- Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise;
- A description of the measures that TransUnion intends to take or has taken to address the security compromise.
The POPIA empowers the regulator to direct a responsible party to publicise in any manner specified any information whose publicity would protect a data subject who may be affected by a security compromise.
“To this extent, and after considering the nature of personal information that has been compromised, the regulator has directed that, over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise,” it said.
The regulator said it will also conduct an assessment on its own initiative into the appropriateness of TransUnion’s security measures on integrity and confidentiality of personal information of data subjects in its possession or under its control.
“The regulator has expressed grave concern about the credit bureau’s approach to ensuring that the affected data subjects’ personal information is protected and that there are no further malicious actions with it by unauthorised persons in possession of the information.
“The regulator has asked TransUnion to provide it with confirmation that a criminal case has been opened with the SAPS, in terms of the Cybercrimes Act, Act No. 19 of 2020. If no criminal case has been opened, the regulator has requested reasons for the delay in doing so.”