Itac data breach has industry fuming
International Trade Administration Commission withheld details of January ransomware attack until this week
● Importers and exporters are fuming after tariff regulator the International Trade Administration Commission of South Africa (Itac) withheld news of a ransomware attack in January until this week.
They have still not been informed of the severity of the cyberattack or how much sensitive financial and personal information shared with the body may have been compromised.
XA Global Trade Advisors CEO Donald MacKay said clients are alarmed about the security compromise and the amount of time it took Itac to reveal what happened.
“We are extremely alarmed at what happened, particu- larly given how long Itac took to notify companies who were potentially impacted,” MacKay said.
XA is notifying its clients — exporters and domestic clients — about the breach but doesn’t yet know how they will respond. Much of the information companies submit to Itac is sensitive, he added.
“Companies participating in Itac investigations submit all kinds of confidential information ... This ranges from the names of clients, costs, prices, sales and a variety of financial information.”
Itac chief commissioner Ayabonga Cawe said it had delayed disclosure to avoid unnecessary panic among stakeholders.
“We have been quite open and transparent about this with the Information Regulator and the SAPS and now with some of the data subjects and owners of the information ... [that’s] why there was a delay of 12 weeks,” he said.
“The moment we find out there is a disruption in our system, we reach out to our cybersecurity providers. There was all manner of speculation from our IT teams as to what it might be before it came to light that it was a ransomware attack,” Cawe added.
In a statement released on Monday, Itac said it experienced a security compromise on January 2.
Ransomware refers to malicious software designed to block a user’s access to an information system unless money is paid to the attacker.
Itac’s mandate includes customs tariff investigations, trade imbalance remedies and import-export controls, and it therefore handles and processes much personal information from various importers and exporters.
The attackers are still unknown; neither is it clear whether they made any demands to Itac or companies that deal with it. The commission said the matter was now part of a broader investigation by law enforcement agencies.
The SAPS, the Information Regulator, the State Security Agency and a third-party forensic firm are conducting separate probes into events.
“The moment you get in that terrain, you want to establish what has happened so that you don’t create unnecessary panic among stakeholders or among your own staff who cannot use their tools of trade,” Cawe said.
MacKay said XA and its clients are hoping there will be no further harm from the breach, but if a competitor were to gain access to a company’s information, “this could have serious implications for their business”.
“The International Trade Administration Act provides comfort that this information will be safeguarded with fairly serious consequences to the people involved at Itac if the confidentiality is breached,” he said.
“Obviously, this was not deliberate, so it remains up to our clients to decide how they wish to react, if at all.”
Mackay said to the best of XA’s knowledge no-one has been harmed as a result of
the breach.
“This only just happened, so it will take a while to know how companies will respond to the breach. I am not aware of any of our clients considering any sort of action and if no harm is suffered, I hope it remains that way,” he added.
Cawe said procedures for disclosing a breach are prescribed in law and Itac had a duty to handle the matter in strict adherence to the law, which can result in delays.
“If I compare some of the disclosures of some of the breaches in the public and private sector and informing the public, this one has been much, much sooner,” he said.
“Even in the banking sector and others, there is often a significant time lag precisely for the reasons that I have mentioned.”
Cawe said Itac sought guidance from legal professionals and the Information Regulator on containing the challenge and how to inform stakeholders about the matter.
“The Information Regulator has a very particular process in terms of how you notify them. We sent correspondence not long after the breach happened when we were made aware of it,” he said.
“What we are doing is very much part of the guidance from our legal advisers and what the regulator requires of us.”
Itac commissioned an internal forensic investigation — which was conducted by a third party — to establish the nature of the breach and whether the criminals had gained access to sensitive information of firms and individuals that reside in its infrastructure.
“I think if I had my personal information in these servers, I would want to know if these people have demanded ransoms and if they have taken my personal information to then do nefarious things with it,” Cawe said.
An institution cannot go far enough in securing infrastructure, he added, and pointed out that Itac was not the first state entity to be hit with a cyberattack, and wouldn’t be the last.
Transnet faced a ransomware attack in 2021, which prompted the state-owned rail, port and logistics operator to declare force majeure at multiple ports where it operates, including Richards Bay, Gqeberha, Ngqura and Cape Town.
In 2022, the Sunday Times reported that lax cybersecurity had exposed the personal data of millions of South Africans to hackers, who were even able to access President Cyril Ramaphosa’s home address, identity and cellphone numbers.
A series of screenshots supplied to the Sunday Times in May that year by a group of hackers calling themselves SpiderLog$, who have been running unauthorised vulnerability scans on government servers, showed that government departments and state-owned companies were unsafe and “wide open” to intrusion.
Cawe said Itac completed the acquisition of new IT infrastructure and servers just when the attack occurred, adding that it was “a cruel coincidence” that as the commission tried to fortify its environment, it was targeted by an attack.
“Our servers were not the only line of defence in terms of backup. We still had rudimentary means of backup to recover some of what was needed to at least service the public, to access our service infrastructure to clear goods through customs,” he said.
The commission said that when the technology team became aware of the security compromise, it took steps to contain it, including the immediate shutdown of affected servers, using backup data on the affected servers, and upgrading Itac’s firewall and antivirus measures.
Information Regulator of South Africa spokesperson Nomzamo Zondi said it conducted an assessment and an investigation into the security compromise to establish the level of Itac’s compliance with the Protection of Personal Information Act.
“Only one incident was reported to the regulator. We are not privy to ... information [regarding how much money may have been lost as a result of the attack], Itac would be in a better position to confirm that.”
Zondi said that in terms of section 22 of the Protection of Personal Information Act the Information Regulator must be informed of any breach “as soon as reasonably possible after the discovery of the compromise”.
The regulator, which receives about 140 cases a month, has fined the department of justice & constitutional development for contravention of the Protection of Personal Information Act, Zondi said.
Itac urged stakeholders to remain vigilant and never disclose personal identification numbers, passwords, or one-time passwords over the phone, or via text or email.
It also advised companies to provide personal information to verifiable sources only, and avoid suspicious links and unwanted marketing calls when contacting the commission.