Information regulator ‘extremely concerned’ with TransUnion security
The Information Regulator has found TransUnion's handling of the hack inadequate and unsatisfactory.
The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach. Picture – iStock
The Information Regulator is seething over the way in which TransUnion has responded to the security hack which has exposed the personal information of 54 million people.
The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach, by Brazil-based hacker group N4aughtysecTU- who claimed responsibility for the attack.
TransUnion handling ‘inadequate and unsatisfactory’
“The notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA),” said the regulator in a statement.
“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.”
The regulator said that TransUnion omitted critical information that should have provided assurance on how the matter is managed.
“The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis.”
This has left the Regulator extremely concerned over TransUnion’s ability to safeguard the protection of personal information as is required in terms of POPIA.
The Regulator has now further directed that TransUnion provides the following:
- A detailed description of the possible consequences of the security compromise and its impact on data subjects.
- Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.
- Description of the measures that TransUnion intends to take or has taken to address the security compromise
Popia empowers the Regulator to force TransUnion to make public any information on how affected people’s data would be protected.
“To this extent, and after considering the nature of personal information that has been compromised, the Regulator has directed that over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise,” said the Regulator in a statement.
The Regulator said it’s undertaken a ‘careful assessment of the credit bureau’s security compromise, including the extent and severity of the breach.
It’s now decided that it will investigate ‘the appropriateness of TransUnion’s security measures on integrity and confidentiality of people’s personal information in its possession or under its control.’
The Regulator is demanding a response from the credit bureau by 01 April 2022.
It also wants TransUnion to register a criminal case with Saps, in terms of the Cybercrimes Act, Act No. 19 of 2020.
If no criminal case has been opened, the Regulator has requested reasons for the delay in doing so.
N4ughtysecTU- Hacker group calls for infiltrators
The regulator’s statement comes after N4ughtysecTU began releasing the identity numbers of South Africa’s prominent politicians including President Cyril Ramaphosa and first lady Tshepo Motsepe, on a telegram group.
The hackers have demanded a R224m ransom from TransUnion SA- something the credit bureau has refused to pay.
N4aughtysectu has also made an offer to employees working in crucial service departments to earn double their salaries by working as infiltrators.
“We will be looking for employees working in important areas of the country such as electricity, water and hospital systems infrastructure, we offer money (we will give you double your salary) for you to serve as infiltrators. Anyone interested in the business, call @N4ughtySecTU,” said the group on its Telegram group.
Soon after the hacker group opened the channel, some South Africans began requesting that their applications for loans be approved and their debts erased.
NOW READ: Hackers with access to 54 million personal records demand R224m ransom from TransUnion SA
For more news your way
Download our app and read this and other great stories on the move. Available for Android and iOS.