Department of Justice nailed for negligence after ransomware attack

[Nat Quinn]

South Africa’s Information Regulator has issued an enforcement notice to the Department of Justice and Constitutional Development (DoJ&CD) over a September 2021 ransomware attack. (Pictured: Pansy Tlakula, Information Regulator chair.)

Essentially, the regulator found that negligence contributed to the department falling victim to the attack.

Among other enforcement actions, the regulator ordered those accountable for the negligence to face disciplinary proceedings.

The attack severely impacted the Master’s Office and crippled South Africa’s courts for weeks.

In a statement issued three days after the attack, the department admitted that all electronic services it provides were affected, including issuing letters of authority, bail services, email, and the departmental website.

Ransomware attacks involve cybercriminals gaining access to systems and encrypting potentially valuable files, locking users out of their data.

System files are left intact so that users may access the system and see the “ransom note” left behind.

The ransom note may contain a demand for payment, in cryptocurrency, for a method to decrypt the files. It may also not mention a specific amount but direct users to a chat service on the dark web to negotiate a fee.

Attackers also often exfiltrate data from compromised systems and threaten to leak it online unless victims pay.

The Department of Justice attack raised concerns that people’s most sensitive information could be at risk, as the Master’s Office handles everything from child support payments to deceased estates.

Departmental spokesperson Steve Mahlangu initially said there was no indication that people’s data had been compromised.

Much later, it emerged that the attackers got their hands on 1,204 files.

Ronald Lamola, Minister of Justice and Correctional Services

Shortly after Mahlangu’s initial statement, a source told MyBroadband that the attackers had demanded 50 bitcoin for the safe return of the encrypted data.

They also said the department’s backups had been encrypted, suggesting a quick recovery from the incident wasn’t on the cards.

However, the department vehemently denied this, saying the attackers had not demanded any specific amount.

Although there was never any closure regarding the ransom demand aside from the department’s denial, its systems only started coming back online four weeks after the attack.

In the interim, South Africa’s lower courts had to fall back to manual recording equipment. Master’s Offices were also forced to revert to manual systems, drastically slowing down services.

Then, in March 2022, it emerged that the DOJ&CD had allowed its IT contracts to lapse during 2021.

It got hacked a month after internal staff took over the previously outsourced functions.

It is this lapse for which the Information Regulator is cracking down on the department.

“Following the assessment, the Regulator found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment resulting in the loss of approximately 1,204 files,” the regulator stated.

“This occurred as a result of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled it to monitor unusual activity on their network and keep a backup of the log files.”

“The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020.”

The regulator found that the DoJ&CD also failed to renew the Intrusion Detection System licence, which also expired in 2020.

“Had this licence been renewed, the department would have received alerts of suspicious activity by unauthorised people accessing the network,” the regulator said.

“The Trend Antivirus licence was also not renewed in 2020 when it expired. The failure to renew this licence resulted in the virus definition for known malware threats not being updated.”

The Johannesburg Central Magistrate’s Court building

The regulator said the department had failed to take reasonable measures to identify foreseeable internal and external risks to protecting personal information in its possession or under its control, and establish and maintain appropriate safeguards against the identified risks.

In light of this failure, the Information Regulator found the DoJ&CD in contravention of sections 19 and 22 of the Protection of Personal Information Act.

Aside from the disciplinary action against the official or officials who failed to renew the relevant software licences, the department must also submit proof within 31 days that the licences have since been renewed.

“Should the DoJ&CD fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offence,” the regulator warned.

If the department fails to comply, the regulator could impose an administrative fine of up to R10 million.

If the matter goes to court and the regulator obtains a conviction, the responsible officials could face a fine and imprisonment.

“With the rising scourge of security compromises, responsible parties are urged to improve their information security systems to ensure that there are adequate safeguards to protect personal information of data subjects in their possession or under their control,” the Information Regulator stated.

“The Regulator places emphasis on the management of risks arising from security compromises.”

 

SOURCE:Department of Justice nailed for negligence after ransomware attack (mybroadband.co.za)

[Author]

Posts