[ad_1]
The Information Regulator of South Africa says it is close to revealing the outcome of its investigation into the much-reported TransUnion data breach in 2022. However, the probe into a major 2020 Experian breach could still take some time.
Established as an independent body in 2016, the regulator has been tasked with ensuring compliance by public and private bodies with the Promotion of Access to Information Act (Paia) and the Protection of Personal Information Act (Popia).
That includes holding companies accountable for data leaks and breaches that affected the security of people’s private information.
The regulator — chaired by Pansy Tlakula — has the power to make recommendations on interventions to fix security and privacy problems and issue fines against companies that fail to respond.
TransUnion and Experian are major credit bureaus that hold vast amounts of personal data in their databases.
This can include names and surnames, identification numbers, passport numbers, contact information, home addresses, credit histories, dates of birth, vehicle finance contract numbers, and car VINs.
Companies and banks use the data to conduct credit vetting on potential customers, as well as other financial background checks.
The Experian data breach occurred in 2020 and was first reported by the South African Banking Risk Centre (Sabric).
The incident exposed as many as 24 million South Africans and nearly 794,000 business entities when convicted fraudster Karabo Phungula obtained the dataset under false pretences.
Phungula allegedly wanted to sell the data for R4 million. He was arrested about a year later.
It later emerged that Phungula had stolen the identity document of a businessman who had access to the service’s database and fraudulently extracted the information in May 2020.
In March 2023, the Specialised Commercial Crimes Court in Palm Ridge sentenced Phungula to 15 years in prison for fraud and violation of the Electronic Communications and Transactions Act.
Experian discovered the alleged fraud in July 2020 but only reported it to the Information Regulator and the public in August 2020.
In its latest update shared with MyBroadband, the regulator said it did not have a deadline for the conclusion of its Experian investigation.
It explained that the Experian matter had “legal intricacies,” which its commissioners were still considering.
“It is still ongoing because there were multiple incidents that resurfaced following the initial security compromise that happened in 2020,” the regulator stated.
The TransUnion data breach in March 2022 was due to the bureau falling victim to hacking group N4ugthySecTU.
While the attackers alleged they exfiltrated 4TB of data from one of TransUnion’s databases, including the records of 54 million South Africans, the bureau said “at least” 3 million of its South African customers’ details were impacted.
A further 6 million ID numbers were exposed but not linked to other personal information.
TransUnion refused to pay a $15-million (R224 million at the time) ransom to prevent the data being leaked online.
Shortly after reports of the breach first surfaced, the Information Regulator berated TransUnion for its response not meeting the requirements of Popia.
“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise,” the regulator stated.
“It omits critical information that provides assurance on how the matter is managed. The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis.”
“This leaves the Regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of Popia,” it added.
In its latest update, the regulator said the TransUnion assessment had been completed and was in the final stages of a decision following the probe’s findings.
“The outcome will be communicated once it has been finalised,” the regulator said.
The regulator recently doled out enforcement notices against Dis-Chem and the Department of Justice (DoJ) after they suffered separate hacking incidents.
In the case of the DoJ, it was found that negligence led to its online systems being hacked and held to ransom for several months.
The department failed to abide by the notice to amend its security lapses and was slapped with a R5-million fine.
Dis-Chem is facing a potential R10-million fine unless it fixes security issues highlighted by the regulator after its systems were compromised in a brute-force attack.
The regulator told MyBroadband it was continuously conducting assessments in terms of section 89 of Popia and investigations in terms of section 76 (3), for which reports are at various stages of finalisation.
“Our assessments cover a wide range of issues relating to the protection of personal information and over and above those related to on security compromises,” it said.
“We will continue conducting assessments as it is our legislative mandate to do so and as and when reports are finalised, we will follow due process in terms of sanctions if any are to be made.”
Now read: South Africa’s data leak and privacy watchdog cuts its teeth
[ad_2]
Source link