Hacked TransUnion could face R10m fine
TransUnion SA, whose systems were breached by hackers who demanded a ransom of $15m (R223m) and claimed to have access to the personal records of 54million South Africans, could be in hot water with SA’s Information Regulator if its safeguards against cyberattack are found to have been insufficient.
The Information Regulator, a constitutional body that regulates private and public companies to ensure they are compliant with the Protection of Personal Information Act and the Promotion of Access to Information Act, said it has been informed officially by TransUnion of the breach.
Nomzamo Zondi, senior manager of communications at the Information Regulator, said it would investigate the breach and “where we find instances of illegality or lack of proper safeguards for protection of personal information, we will hold everyone involved accountable”.
“What is claimed is that there is a massive amount of data, subjects’ personal information — some 54-million people — which may have been accessed by unauthorised people and this makes this a serious incident.”
She said if the regulator finds there were “illegalities or lack of proper safeguards”,
TransUnion could be fined up to R10m.
ITWeb reports that it spoke to the hackers via the messaging service Telegram and was told that the IT systems used by TransUnion were “so weak” that they used the word “Password”, and they contacted CEO Lee Naik on his personal cellphone after his information was found on the TransUnion system.
However, TransUnion said in a statement yesterday that no new personal information had been compromised, and that the data had in fact been breached several years ago.
“We believe that the 54-million records relate to a 2017 data incident unrelated to TransUnion.”
In an earlier statement on Friday, TransUnion said a “criminal third party obtained access to a TransUnion SA server through misuse of an authorised client’s credentials”, and that the company had “received an extortion demand and it will not be paid”.
When it discovered the breach it immediately “suspended the client’s access, engaged cybersecurity and forensic experts and launched an investigation,” it said.
“As a precautionary measure, TransUnion SA took certain elements of its services offline.
“These services have resumed. We believe the incident affected an isolated server holding limited data from our South African business. We are working with law enforcement and regulators.”
The group said it is “engaging” with clients in SA about the incident and that as its “investigation progresses, we will notify and assist individuals whose personal data may have been affected”.
“We will be making identity protection products available to affected consumers free of charge. The security and protection of the information we hold is TransUnion’s top priority,” said Naik.
“We understand that situations like this can be unsettling and TransUnion SA remains committed to assisting anyone whose information may have been affected.”
Bryan Turner, a data analyst at World Wide Worx, said TransUnion finds itself “caught between a rock and a hard place” because if it doesn’t accede to the cyberattackers’ demands and people’s personal information is leaked, it could run foul of local regulators and possibly be fined.
“They say they are not keen on paying the ransom but there are 54-million personal records now potentially being exposed, which also may come with a fine from the Information Regulator.”
Turner said cyber attacks are on the rise around the world and this has especially been seen recently with the invasion of Ukraine by Russia.
“We are looking at a new landscape of war and that’s a cyberwar. All countries are going to be susceptible to these types of cyberattacks.”
Private companies that let their guard down “will become victims”.
Turner said it is essential for private companies to “stay on top of their cybersecurity game”.
He said they need to start employing the people who hack them to “ensure that the strategies they have in place are sound to protect themselves”.
“As cyber security strategies age, it’s always been a game of cat and mouse between companies and cyber attackers, but now it is becoming an even bigger game of cat and mouse,” said Turner.