The Information Regulator is seething over the way in which TransUnion has responded to the security hack which has exposed the personal information of 54 million people.
The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach, by Brazil-based hacker group N4aughtysecTU- who claimed responsibility for the attack.
“The notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA),” said the regulator in a statement.
“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.”
The regulator said that TransUnion omitted critical information that should have provided assurance on how the matter is managed.
“The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis.”
This has left the Regulator extremely concerned over TransUnion’s ability to safeguard the protection of personal information as is required in terms of POPIA.
The Regulator has now further directed that TransUnion provides the following:
Popia empowers the Regulator to force TransUnion to make public any information on how affected people’s data would be protected.
“To this extent, and after considering the nature of personal information that has been compromised, the Regulator has directed that over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise,” said the Regulator in a statement.
The Regulator said it’s undertaken a ‘careful assessment of the credit bureau’s security compromise, including the extent and severity of the breach.
It’s now decided that it will investigate ‘the appropriateness of TransUnion’s security measures on integrity and confidentiality of people’s personal information in its possession or under its control.’
The Regulator is demanding a response from the credit bureau by 01 April 2022.
It also wants TransUnion to register a criminal case with Saps, in terms of the Cybercrimes Act, Act No. 19 of 2020.
If no criminal case has been opened, the Regulator has requested reasons for the delay in doing so.
The regulator’s statement comes after N4ughtysecTU began releasing the identity numbers of South Africa’s prominent politicians including President Cyril Ramaphosa and first lady Tshepo Motsepe, on a telegram group.
The hackers have demanded a R224m ransom from TransUnion SA- something the credit bureau has refused to pay.
N4aughtysectu has also made an offer to employees working in crucial service departments to earn double their salaries by working as infiltrators.
“We will be looking for employees working in important areas of the country such as electricity, water and hospital systems infrastructure, we offer money (we will give you double your salary) for you to serve as infiltrators. Anyone interested in the business, call @N4ughtySecTU,” said the group on its Telegram group.
Soon after the hacker group opened the channel, some South Africans began requesting that their applications for loans be approved and their debts erased.
NOW READ: Hackers with access to 54 million personal records demand R224m ransom from TransUnion SA
Download our app and read this and other great stories on the move. Available for Android and iOS.