The Information Regulator has slapped credit bureau TransUnion with an enforcement notice following a data breach on 18 March 2022.
N4ugthySecTU, the group that claimed responsibility for the attack, alleged that they exfiltrated 4TB of data from one of TransUnion’s databases, including the records of 54 million South Africans.
However, the bureau said far fewer people were impacted.
Initially, TransUnion stated that “at least” 3 million of its South African customers’ details were affected. A further 6 million ID numbers were exposed but not linked to other personal information.
TransUnion revised these numbers in June 2022.
“Our understanding is that data relating to 5 million consumers was potentially affected by the incident with a further 5.2 million consumers having had only ID numbers affected with no personal information linked to the ID number,” it said.
TransUnion refused to pay a $ 15 million (R224 million at the time) ransom to prevent the data being leaked online.
Shortly after reports of the breach surfaced, the Information Regulator berated TransUnion for its notification not meeting Protection of Personal Information Act requirements.
The Regulator conducted an assessment which has found, among others, that TransUnion breached the conditions for the lawful processing of personal information.
It highlighted the following issues:
- Failing to secure the confidentiality of the personal information in its possession or under its control.
- Failing to take appropriate technical and organisational measures to ensure access control is implemented as directed by their own policy.
- Having controls to detect this failure.
- Failing to prevent unlawful access to or processing of personal information that enabled unauthorised actors to gain unlawful access through the use of compromised credentials and a weak password.
- Failing to implement the safeguards that had been put in place in the form of access management policies and user creation policies.
- Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity, and availability of its information processing environment as they relate to:
- User creation — which meant there was a user created outside of approved user creation processes.
- Password complexity — which meant the disregard for the password requirements as set out in their Access Control Policy.
As a result of its findings, the Information Regulator has issued an enforcement notice against TransUnion.
It ordered the company to take three remedial steps.
Firstly, TransUnion must develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control.
These security measures must prevent loss of, damage to, unauthorised destruction or unlawful access to personal information.
Secondly, it must obtain the services of a qualified auditor to audit all user accounts against its SFTP user creation policy.
The auditor must determine if the configuration of any user accounts still falls outside the prescripts of the policy.
Finally, TransUnion must conduct a personal information impact assessment.
This is to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.
TransUnion has until 26 May 2024 to submit proof that all the remedial measures have been implemented, the Information Regulator said.
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.