NewsPREMIUM

Trader anger as Itac reveals cyberattack

Itac held back details of January ransomware attack until this week

Khulekani Magubane

Khulekani Magubane

Financial reporter

Itac called on policymakers to consider whether the trade conditions amount to an emergency in terms of the WTO rules, its chief commissioner Ayabonga Cawe told Reuters in an interview. File photo.
Itac called on policymakers to consider whether the trade conditions amount to an emergency in terms of the WTO rules, its chief commissioner Ayabonga Cawe told Reuters in an interview. File photo. (Alaister Russell)

Importers and exporters are angry after tariff regulator, the International Trade Administration Commission (Itac) revealed only this week that it had suffered a ransomware attack in January. 

They are also in the dark about the severity of the cyberattack or how much of the sensitive financial and personal information they share with the tariff regulator has been compromised. 

XA Global Trade Advisors CEO Donald MacKay said the company’s clients are alarmed at the security compromise and the amount of time that passed before Itac revealed what happened.

“We are extremely alarmed at what happened, particularly given how long Itac took to notify companies who were potentially impacted,” said Mackay

He said XA is in the process of notifying its clients — exporters and domestic clients — about the breach but does not yet know how they will respond. Much of the information companies submit to Itac is sensitive.

“Companies participating in Itac investigations submit all kinds of confidential information as part of the process. This ranges from names of clients, costs, prices, sales and a variety of financial information.” 

But Itac chief commissioner Ayabonga Cawe has defended the regulator’s actions, saying it made the disclosure now and not in January to avoid unnecessary panic among stakeholders.

“We have been quite open and transparent about this with the Information Regulator and the SAPS and now with some of the data subjects and owners of the information ... (this is) why there was a delay of 12 weeks.

“The moment we find out there is a disruption in our system, we reach out to our cybersecurity providers. There was all manner of speculation from our IT teams of what it might be before it came to light that it was a ransomware attack,” he said. 

In a statement released on Monday, Itac said it experienced a security compromise on January 2. Ransomware refers to malicious software designed to block a user’s access to an information system unless a sum of money is paid to the malicious actor to allow access again.

Itac’s mandate includes customs tariff investigations, trade imbalance remedies and import-export controls, meaning it handles and processes a diverse set of personal information from various importers and exporters.

The attackers are still unknown. It is also only not clear if they have made any ransom demands to Itac or companies that deal with it. The commission said this was now part of a broader investigation by law enforcement agencies. The SAPS, the Information Regulator, State Security Agency and a third-party forensic firm are conducting separate probes into the matter. 

“The moment you get in that terrain, you want to establish what has happened so that you don’t create unnecessary panic among stakeholders or among your own staff who cannot use their tools of trade,” Cawe added.

We are extremely alarmed at what happened, particularly given how long Itac took to notify companies who were potentially impacted

—  XA Global Trade Advisors CEO Donald MacKay

MacKay, however, said XA and its clients are hoping there will be no further harm from the breach, but if a competitor got hold of a company’s information, “this could have serious implications on their business”. 

“The International Trade Administration Act provides comfort that this information will be safeguarded with fairly serious consequences to the people involved at Itac if the confidentiality is breached. This was obviously not deliberate, so it remains up to our clients to decide how they wish to react, if at all.”

However, Mackay said to the best of XA’s knowledge no-one has been harmed through this breach.

“This only just happened, so it will take a while to know how companies will respond to the breach. I am not aware of any of our clients considering any sort of action and if no harm is suffered, I hope it remains that way.”

Cawe said how a breach is disclosed is prescribed in law and Itac had a duty to handle the matter with care in strict adherence to the law, which can result in a delay.

“If I compare some of the disclosures of some of the breaches in the public and private sector and informing the public, this one has been much, much sooner... Even in the banking sector and others, there is often a significant time lag precisely for the reasons that I have mentioned.”

He said Itac sought guidance from legal professionals and the Information Regulator on how to contain the challenge and how to inform stakeholders about the matter.

 “The Information Regulator has a very particular process in terms of  how you notify them. We sent correspondence not long after the breach happened when we were made aware of it. What we are doing is very much part of the guidance from our legal advisers and what the regulator requires of us.”

Itac commissioned an internal forensic probe conducted by a third party to establish the nature of the breach and whether the criminals got the personal information of firms and individuals that reside in its infrastructure.

“I think if I had my personal information in these servers, I would want to know if these people have demanded ransoms and if they have taken my personal information to then do nefarious things with it,” said Cawe.

An institution cannot go far enough in securing infrastructure, he said, pointing out that Itac was not the first state entity to be hit with a cyberattack and would not be the last.

Transnet also faced a ransomware attack in 2021, which prompted the state-owned rail, port and logistics giant to declare a force majeure at multiple ports where it operates, including Richards Bay, Gqeberha, Ngqura and Cape Town.

In 2022, the Sunday Times reported that lax cybersecurity had exposed the personal data of millions of ordinary South Africans to hackers, and even President Cyril Ramaphosa’s home address, identity and cellphone numbers were accessed illegally as hackers ran rampant through flimsy security.

A series of screenshots supplied to the Sunday Times in May that year by a group of hackers calling themselves SpiderLog$, who have been running unauthorised vulnerability scans on government servers, showed that government departments and state-owned companies were unsafe and “wide open” to intrusion. 

Cawe said Itac completed the acquisition of new IT infrastructure and servers  just when the attack occurred, adding that it was “a cruel coincidence” that as the commission tried to fortify its environment, it was targeted by an attack.

Our servers were not the only line of defence in terms of backup. We still had rudimentary means of backup to recover some of what was needed to at least service the public, to access our service infrastructure to clear goods through customs

—  Itac chief commissioner Ayabonga Cawe

“Our servers were not the only line of defence in terms of backup. We still had rudimentary means of backup to recover some of what was needed to at least service the public, to access our service infrastructure to clear goods through customs.”

The commission said when the technology team became aware of the security compromise, it took steps to contain it, including the immediate shutdown of affected servers, use of backup data on the affected servers, and an upgrade to Itac’s firewall and antivirus measures.

 Information Regulator of South Africa spokesperson Nomzamo Zondi said it conducted an assessment and an investigation into the security compromise to establish the level of Itac’s compliance with the Protection of Personal Information Act.

“Only one incident was reported to the regulator. We are not privy to ... information [regarding how much money may have been lost by the targets of the attack], Itac would be in a better position to confirm this.”

She said the requirements in terms of section 22 of the Protection of Personal Information Act is that notification must be made to the Information Regulator “as soon as reasonably possible after the discovery of the compromise”.

About 140 cases are reported to it monthly. The Information Regulator has fined one public body, the department of justice & constitutional development, for contravention of the Protection of Personal Information Act, Zondi said.

Itac urged stakeholders to remain vigilant by never disclosing personal identification numbers, passwords, or one-time passwords over the phone, text or email.

It further advised companies to only provide personal information to verifiable sources, and avoid suspicious links and unwanted marketing calls when contacting the commission.

Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.

Comment icon
Sign UpLog In

Please read our Comment Policy before commenting.

Editor’s Choice

1

BARNEY MTOMBOTHI | Time to kick the last breath out of the SACP

2

MCEBISI JONAS | How aiding farmers helps us manage global risks

3

TEBOGO LETSIE | We need NSFAS more than ever — fix it, don’t close it

4

IMRAAN BUCCUS | Can the grassroots rekindle our liberation ideals?

Related Articles