TransUnion under fire
NOTICE: FAILING TO SECURE CONFIDENTIALITY OF PERSONAL INFO
Regulator’s probe follows 2022 hack on credit bureau and ransom demand.
The Information Regulator has issued an enforcement notice against credit bureau TransUnion for a data breach in 2022, after it was found that it breached the conditions for the lawful processing of personal information.
Advocate Pansy Tlakula, chair of the Information Regulator, said in a recent news conference that her office investigated TransUnion after it submitted a notification that it had experienced a security compromise.
“TransUnion breached the conditions for the lawful processing of personal information by failing to secure the confidentiality of personal information it is in possession of and to take appropriate technical and organisational measures to ensure access control is implemented as directed by its own policies,” she said.
In addition, the regulator found that TransUnion did not implement any controls to detect the failure and, therefore, enabled unlawful access through the use of compromised credentials and a weak password.
The regulator also found that the credit bureau failed to implement the safeguards that had to be put in place in the form of access management and user creation policies.
TransUnion also did not implement provisions of its own information security policy which covered domains recommended to ensure confidentiality, integrity and availability of its information. The password complexity requirement was also disregarded.
The regulator’s enforcement notice ordered TransUnion to develop and implement security measures to ensure the integrity and confidentiality of personal information in its possession to prevent unlawful access.
TransUnion also had to get a qualified auditor to audit its user accounts against its user creation policy to determine if the configuration of a user account falls outside the user policy.
In addition, the credit bureau had to conduct a personal information impact assessment to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.
TransUnion has until 26 May to submit proof that all these measures were implemented.
TransUnion South Africa said that it implemented a number of improvements after the incident following a review by a leading independent forensics and security firm. “We are now implementing the regulator’s additional recommendations.”
ITWeb broke the news about the TransUnion hack in 2022, when N4ughtySecTU demanded $15 million (about R223 million) ransom for four terabytes of compromised data. The group claimed it had accessed several million personal records of South Africans, including President Cyril Ramaphosa’s. –