News

Home » News

Avatar photo

By Narissa Subramoney

Deputy digital news editor

5 minute read

25 Mar 2022

02:15 pm

Information regulator ‘extremely concerned’ with TransUnion security

The Information Regulator has found TransUnion's handling of the hack inadequate and unsatisfactory.

The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach. Picture - iStock

The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach. Picture – iStock

The Information Regulator is seething over the way in which TransUnion has responded to the security hack which has exposed the personal information of 54 million people.

The Regulator instructed the credit bureau on 19 March 2022 to explain the circumstances of the security breach, by Brazil-based hacker group N4aughtysecTU- who claimed responsibility for the attack.

TransUnion handling ‘inadequate and unsatisfactory’

“The notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA),” said the regulator in a statement.

“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.”

The regulator said that TransUnion omitted critical information that should have provided assurance on how the matter is managed.

“The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis.”

This has left the Regulator extremely concerned over TransUnion’s ability to safeguard the protection of personal information as is required in terms of POPIA.

The Regulator has now further directed that TransUnion provides the following:

  • A detailed description of the possible consequences of the security compromise and its impact on data subjects.
  • Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.
  • Description of the measures that TransUnion intends to take or has taken to address the security compromise

Popia empowers the Regulator to force TransUnion to make public any information on how affected people’s data would be protected.

“To this extent, and after considering the nature of personal information that has been compromised, the Regulator has directed that over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise,” said the Regulator in a statement.

The Regulator said it’s undertaken a ‘careful assessment of the credit bureau’s security compromise, including the extent and severity of the breach.

It’s now decided that it will investigate ‘the appropriateness of TransUnion’s security measures on integrity and confidentiality of people’s personal information in its possession or under its control.’

The Regulator is demanding a response from the credit bureau by 01 April 2022.

It also wants TransUnion to register a criminal case with Saps, in terms of the Cybercrimes Act, Act No. 19 of 2020.

If no criminal case has been opened, the Regulator has requested reasons for the delay in doing so.

N4ughtysecTU- Hacker group calls for infiltrators

The regulator’s statement comes after N4ughtysecTU began releasing the identity numbers of South Africa’s prominent politicians including President Cyril Ramaphosa and first lady Tshepo Motsepe, on a telegram group.

TransUnion hack leaks. Source – @N4ughtySecTU

The hackers have demanded a R224m ransom from TransUnion SA- something the credit bureau has refused to pay.

N4aughtysectu has also made an offer to employees working in crucial service departments to earn double their salaries by working as infiltrators.

“We will be looking for employees working in important areas of the country such as electricity, water and hospital systems infrastructure, we offer money (we will give you double your salary) for you to serve as infiltrators. Anyone interested in the business, call @N4ughtySecTU,” said the group on its Telegram group.

Soon after the hacker group opened the channel, some South Africans began requesting that their applications for loans be approved and their debts erased.

Source – N4ughtyTU

NOW READ: Hackers with access to 54 million personal records demand R224m ransom from TransUnion SA

Catch up with the latest news from The Citizen on WhatsApp by following our channel. Click here to join.

EDITOR'S CHOICE

Elections Cele says anyone that disrupts elections will be dealt with
Elections New poll shows support for ANC close to 40% a month before elections
Politics Bye bye parliament? MK party comrades sent packing weeks before national elections
Local Soccer Mokwena unsure of Sundowns future after Champions League exit
Courts Here’s why Electoral Court overturned IEC’s decision to bar Zuma’s candidacy

Click here to get The Citizen news and updates on Whatsapp.

Find out more

RELATED ARTICLES

Access premium news and stories

Access to the top content, vouchers and other member only benefits

Subscribe