TransUnion SA, whose systems were breached by hackers demanding a ransom of $15m (R223m) and claiming to have access to the personal records of 54-million South Africans, could be in hot water with SA’s Information Regulator if its safeguards against cyber attack are found to be insufficient.
The Information Regulator, a constitutional body which regulates private and public companies to ensure they are compliant with the Protection of Personal Information Act (Popia) and the Promotion of Access to Information Act, says it has been informed officially by TransUnion of the breach.
Nomzamo Zondi, senior manager of communications at the Information Regulator, said it would investigate the breach and “where we find instances of illegality or lack of proper safeguards for protection of personal information we will hold everyone involved accountable”.
“What is claimed is that there is a massive amount of data, subjects’ personal information — some 54-million people — which may have been accessed by unauthorised people and this makes this a serious incident.”
She said if the regulator found there were “illegalities or lack of proper safeguards”, TransUnion could face fines as high as R10m.
ITWeb reported that it had spoken to the hackers via the messaging service Telegram and was told that the IT systems used by TransUnion were “so weak” that it used the word “Password” and they contacted CEO Lee Naik on his personal cellphone after his information was found on the TransUnion systems.
However, TransUnion said in a statement yesterday that no new personal information had been compromised, and that the data had in fact been breached several years ago.
“We believe that the 54-million records relate to a 2017 data incident unrelated to TransUnion.”
In an earlier statement on Friday, TransUnion said a “criminal third party obtained access to a TransUnion SA server through misuse of an authorised client’s credentials”, and that it “received an extortion demand and it will not be paid”.
When it discovered the breach it immediately “suspended the client’s access, engaged cyber security and forensic experts and launched an investigation”.
“As a precautionary measure, TransUnion SA took certain elements of its services offline. These services have resumed. We believe the incident affected an isolated server holding limited data from our South African business. We are working with law enforcement and regulators.”
The group said it was “engaging” with clients in SA about the incident and that as its “investigation progresses, we will notify and assist individuals whose personal data may have been affected”.
“We will be making identity protection products available to affected consumers free of charge. The security and protection of the information we hold is TransUnion’s top priority,” said Naik in the statement.
“We understand that situations like this can be unsettling and TransUnion SA remains committed to assisting anyone whose information may have been affected.”
'A new landscape of war'
Bryan Turner, a data analyst at World Wide Worx, says TransUnion finds itself “caught between a rock and a hard place” because if it doesn’t accede to the cyber attackers’ demands and people’s personal information is leaked, they could run foul of local regulators and possibly be fined.
“They say they are not keen on paying the ransom but there are 54-million personal records now potentially being exposed, which also may come with a fine from the Information Regulator.”
Turner said cyber attacks were on the rise around the world and this had especially been seen recently with the invasion of Ukraine by Russia.
“We are looking at a new landscape of war and that’s a cyber war. All countries are going to be susceptible to these types of cyber attacks.”
Private companies that let their guard down “will become victims”.
Turner said it was essential for private companies to “stay on top of their cyber security game”, adding that they needed to start employing the people who hack them to “ensure that the strategies they have in place are sound to protect themselves”.
“As cyber security strategies age, it’s always been a game of cat and mouse between companies and cyber attackers, but now it is becoming an even bigger game of cat and mouse.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.