Q: Is government taking cyber security seriously enough?
A: Our mandate is to ensure public and private bodies have adequate security measures in place to protect the confidentiality and integrity of data.
Q: So why have there been such serious data breaches at state bodies like the departments of justice and defence, Transnet and the State Security Agency (SSA)?
A: In our law, every public and private body that suffers a data breach has to inform the regulator. Because of that requirement, from the beginning of this year we've had about 750 notifications of security breaches.
Q: Did the department of defence inform you it had suffered a data breach?
A: No. We have sent them an information notice in which we're requesting certain information regarding that data breach. I'm not sure whether they have responded.
Q: Did the State Security Agency inform you it had suffered a data breach?
A: No, even the SSA did not inform us and we're also following up with them with an information notice. That will inform us on how we move forward, after they have responded and given us information.
Q: Does it concern you that such data breaches are not being reported?
A: Yes. I don't want to reference State Security or defence because we are still investigating, but in general terms to defy the regulator is a criminal offence. So apart from investigating the adequacy of the security measures we'll also investigate, even if they have informed us, if the notification was in compliance with our law.
Q: Are you concerned by reports that State Security and defence tried to cover up these data breaches?
A: I don't want to say that because I don't want to pre-empt anything. The investigation will tell us what happened.
Q: Are you concerned there may have been other data breaches at state bodies, including the SSA and defence, without you getting to hear about it?
A: Yes, because most of the breaches, the major ones in particular, that we have investigated, we have gotten the information from the media. Whether you're talking about TransUnion, the department of justice, defence or even SSA, we get this information from the media. That is concerning because the legal obligation that everyone has is to inform us.
Q: How much muscle do you have in terms of monitoring government bodies?
A: We have a lot of muscle because we can conduct an own-initiative investigation or own-initiative assessment, as we did with justice. The assessment report is equivalent to an enforcement notice, which means it has to be complied with. If a body doesn't comply, we issue an infringement notice.
Q: What happens then?
A: We can either fine them, as we did with the department of justice, or if they so prefer, we can institute criminal proceedings against them. So we have quite effective powers. It's just that the route to the infringement notice is quite long.
Q: Are these data breaches due to a lack of expertise?
A: At the heart of what happened at justice was the expiration of licences that could have alerted them when there was an intrusion into their system. You cannot say that's lack of expertise.
Q: Failure to take cyber security seriously enough?
A: Exactly.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.