Regulator issues enforcement notice against TransUnion for hack in 2022

The Information Regulator has issued an enforcement notice against credit bureaus, TransUnion, for a data breach in 2022 after it was found that it breached the conditions for the lawful processing of personal information.

Adv Pansy Tlakula, chairperson of the Information Regulator, said in a recent news conference that her office investigated after TransUnion submitted a notification that it suffered a security compromise.

ITWeb broke the news about the TransUnion hack in 2022, when N4ughtySecTU demanded $15 million (R223 million) ransom for four terabytes of compromised data. The group claimed after the hack that it had accessed several million personal records of South Africans, including the personal details of president Cyril Ramaphosa.

“TransUnion breached the conditions for the lawful processing of personal information by failing to secure the confidentiality of personal information it is possession and take appropriate technical and organisational measures to ensure access control is implemented as directed by its own policies,” Tlakula said.

ALSO READ: Information regulator ‘extremely concerned’ with TransUnion security

Regulator found no controls in line with its own security policy

In addition, the Regulator found that TransUnion also did not implement any controls to detect the failure and therefore failed to prevent unlawful access to information on its database.

The Regulator also found that the credit bureau failed to implement the safeguard that had to be put in place in the form of access management and user creation policies. TransUnion also did not implement provisions of its own information security policy which covered domains recommended to ensure confidentiality, integrity and availability of its information. The password complexity requirement was also disregarded.

The Regulator then issued the enforcement notice and ordered TransUnion to develop and implement security measures to ensure the integrity and confidentiality of personal information in its possession to prevent unlawful access.

ALSO READ: President Cyril Ramaphosa’s personal financial information hacked

TransUnion implemented number of improvements

TransUnion also had to obtain the services of a qualified auditor to perform an audit on its user accounts against its user creation policy to determine if the configuration of a user account falls outside the user policy.

In addition, the credit bureau had to conduct a personal information impact assessment to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal information. TransUnion has until 26 May to submit proof that all these measures were implemented.

TransUnion South Africa said in a statement that it implemented a number of improvements after the incident following a review by a leading independent forensics and security firm.

“We are now implementing the Regulator’s additional recommendations and welcome the conclusion of the matter.”