Entities that don’t take clients’ data security seriously are playing with fire

Posted on

Corporates and public institutions that continue to disregard the importance of safeguarding their clients’ personal information do so at great risk.

The Information Regulator (IR) briefed the media and the public on 26 March on the outcomes of prominent cases it has been investigating. These cases involve complaints under the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA).

Updates were provided on POPIA investigations, including compliance updates on TransUnion and Dischem.

New investigations were announced, including ones involving the Companies and Intellectual Property Commission (CIPC), and the South African Police Service (SAPS).

The Regulator can investigate POPIA complaints submitted by anyone or initiate investigations on its own.

For PAIA matters, investigations can proceed only upon receiving a complaint from a requester or third party.

According to Pansy Tlakula (pictured), chairperson of the Information Regulator, the entity received 982 POPIA-related complaints during the 2023/24 financial year. A total of 14 responsible parties were assessed.

“Of these, 682 complaints were resolved, and 10 assessments were completed and are ready for determination by the Regulator through the issuing of enforcement notices,” said Tlakula.

The IR’s briefing took place on the same day that Nampak informed its shareholders it had suffered a cyberattack in which “an unknown third party” accessed its IT systems.

The incident was detected on 20 March, the JSE-listed packaging firm said in a SENS announcement.

Nampak said it was taking the necessary measures to determine the scope of the compromise, to restore the integrity of its IT systems, and to ensure it was not exposed to further risk.

The data breach had not affected its manufacturing facilities and operations, which were functioning as normal, albeit with some manual operating systems where required.

Nampak said it had made an initial notification to the Information Regulator. “This will be supplemented as the investigation progresses, and a notification to potentially affected data subjects will be made as soon as possible, in accordance with POPIA requirements.”

TransUnion called to act

In March 2022, TransUnion, a registered credit bureau and a repository of credit information on consumers and businesses, submitted a section 22 notification indicating that it had suffered a security compromise.

A hacking group calling itself N4aughtysecTU claimed to have accessed about 54 million records, including data from more than 200 corporates.

TransUnion responded, saying that at least three million consumers had been impacted by the hack. An additional six million identity numbers had been compromised.

According to the credit bureau, the 54 million records were the result of data breaches unrelated to TransUnion dating back to 2017.

In a statement sent out shortly after the breach, the IR expressed “continued dissatisfaction with the security compromise notification submitted by TransUnion, following the instructions given to the credit bureau on 19 March, when the regulator called on TransUnion to explain the circumstances of the security compromise it experienced”.

Read: Regulator unhappy with TransUnion’s handling of data breach

Tlakula shared that since then, the IR has conducted an assessment that found, among other things, that TransUnion had breached the conditions for the lawful processing of personal information by:

  • Failing to secure the confidentiality of the personal information in its possession or under its control.
  • Failing to take appropriate technical and organisational measures to ensure access control is implemented as directed by its policy and not having controls to detect this failure.
  • Failing to prevent unlawful access to or processing of personal information that enabled unauthorised actors to gain unlawful access via compromised credentials and use of a weak password.
  • Failing to implement the safeguards that had been put in place in the form of access management policies and user creation policies.
  • Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity, and availability of its information processing environment as they relate to user creation (a user created outside of approved user creation processes) and password complexity (disregard for the password requirements as set out in its access control policy).

As a result, the IR issued an Enforcement Notice against TransUnion, ordering the company to:

  • Develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control to prevent the loss of, or damage to, or unauthorised destruction of, or unlawful access to personal information.
  • Obtain the services of a qualified auditor that will perform an audit on all user accounts against the SFTP user creation policy to determine whether the configuration of any further user accounts fall outside the prescripts of the policy.
  • Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.

TransUnion has until 26 May to submit proof to the IR that all the remedial measures in the Enforcement Notice have been implemented.

If TransUnion does not comply within the given time, the IR can issue an infringement notice, which can carry a penalty of imprisonment or a fine of up to R10 million.

Dis-Chem in the clear

In April and May 2022, an unauthorised party launched a “brute force attack” on Grapevine, Dis-Chem’s third-party service provider. A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found.

The attack saw the personal information of 3.6 million data subjects being accessed by unauthorised persons from Dis-Chem’s e-statement service database.

Following an investigation into the security compromise, the IR issued an Enforcement Notice against the retailer in August last year.

The Enforcement Notice ordered Dis-Chem to, among other things:

  • Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information, as required by Regulation 4(1)(b) of POPIA.
  • Implement an adequate Incident Response Plan. This includes implementing the Payment Card Industry Data Security Standards (PCI DSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.
  • Conclude written contracts with all operators that process personal information on its behalf. The contracts must compel the operators to establish and maintain the same or better security measures referred to in section 19 of POPIA.
  • Develop, implement, monitor, and maintain a compliance framework in terms of Regulation 4(1)(a) of POPIA that clearly provides for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.

Read: Dis-Chem disputes Information Regulator’s findings about data breach

During the press briefing, Tlakula said the IR had finished evaluating Dis-Chem’s adherence to the Enforcement Notice. She confirmed that Dis-Chem is now compliant with the recommendations outlined in the notice.

“As a result, the Regulator has closed its file on Dis-Chem,” said Tlakula.

Oops, SAPS did it again

In April last year, the IR issued an enforcement notice against the SAPS for the distribution of personal information of the victims of sexual assault in the Krugersdorp area in July 2022.

The gang rape of eight women, part of a music video shoot at an abandoned mine dump, shocked the nation.

The IR found that SAPS violated POPIA provisions when personal information of the women was shared on social media.

The IR’s Enforcement Committee reported on 5 April last year that the SAPS failed to protect victims’ personal information and breached the lawful processing conditions under POPIA. The SAPS also failed to notify the IR and the victims of the security breach as required.

The SAPS stated it shared victims’ information on WhatsApp groups to alert relevant stations about the crime in West Rand District. However, the message was leaked to social media, unrelated to its intended purpose.

The IR ordered the SAPS, among other things, to investigate the circumstances that led to this security compromise.

The investigation had to specify the measures the SAPS has taken to ensure that this incident or any incident of a similar nature did not recur.

Tlakula said the SAPS has complied with the Enforcement Notice, and the matter was closed.

Read: SAPS breached POPIA after rape victims’ personal info appears on social media

However, later during the media briefing, Tlakula said the IR has initiated another investigation into the SAPS for a similar breach of POPIA.

Tlakula said the investigation stemmed from inquiries into the deaths of businessman Jabulani Ben Gumbi and Captain Ernest Dambuza. Detailed crime scene reports and personal information, such as car registration numbers and the home addresses of those involved in the investigations, were widely shared on WhatsApp.

“The Regulator is considering measures to be taken against SAPS for this continued transgression of POPIA requirements,” said Tlakula.

CIPC

Last month, the CIPC alerted its clients and staff to a potential breach of their personal information.

The CIPC, which oversees registration data for millions of entities and individuals, including ownership details of companies and intellectual property rights, issued a brief statement on 29 February. The statement did not specify when the breach occurred or was detected.

According to the statement, the CIPC’s technicians identified a possible security breach.

“Our ICT technicians were alerted […] to a possible security compromise and […] certain CIPC systems were shut down immediately to mitigate any possible damage,” it stated. “Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”

Read: Hackers access CIPC’s client and employee records

Earlier this month, MyBroadband, reported that the CIPC was being “coy” about the extent of the breach.

The ransomware gang that claimed responsibility for the CIPC hack reportedly contacted MyBroadband after the release of the CIPC press statement, saying that the hackers have had access to the agency’s systems since 2021.

Per a representative of the group, it was alleged that the CIPC attempted to conceal a breach that occurred nearly three years ago and failed to take any action to improve its security vulnerabilities.

Tlakula said the IR has commenced its own-initiative investigation into the breach.

“Reports received by the Regulator indicate that the threat actors that breached the CIPC systems are still in the CIPC IT environment, and the CIPC systems remain compromised.”

Tlakula said another point of inquiry regarding the CIPC’s organisational and technical measures for protecting personal information will be whether the CIPC’s business model facilitates the selling and buying of personal information in its possession.