South Africa’s data leak and privacy watchdog cuts its teeth

This topic is empty.

Viewing 1 post (of 1 total)

Author

Posts
2023-09-06 at 14:41 #419214
Nat Quinn
Keymaster
South Africa’s Information Regulator is flexing its muscles, slapping its own government department and a major JSE-listed company with enforcement notices in the span of four months.

Dis-Chem received an enforcement notice in August 2023, while the Department of Justice (DoJ) received one in May. The DoJ failed to abide by the notice and was slapped with a hefty fine.

These came after South Africa’s justice department suffered a ransomware attack in September 2021, and Dis-Chem a data breach via a third-party vendor in May 2022.

Both attacks resulted in people’s personal details being exposed.

More recently, the Information Regulator — headed by chair Pansy Tlakula (pictured above) — issued Dis-Chem with an enforcement notice on 31 August 2023, instructing it to fix its security issues or face a R10 million fine.

The regulator explained that the data breach had occurred due to a simple brute-force attack sometime in April.

“A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found,” the regulator explained.

It found that the company hadn’t done enough to secure its customers’ private data.

Dis-Chem became aware of the data breach on 1 May 2022, when it was informed that an unauthorised party managed to access its customer database.

This exposed 3.6 million client records, including full names, email addresses, and cellphone numbers. It informed the Information Regulator of the incident on 5 May.

Dis-Chem has until 1 October 2023 to provide the Information Regulator with proof of its actions to secure client records.

The company strongly objected to the Information Regulator’s allegation that it didn’t notify people timeously or appropriately.

However, it confirmed that it will report to the regulator within 31 days as requested.

Before tackling Dis-Chem, the Information Regulator issued its very first enforcement notice against the Department of Justice — the same government department under which it falls.

The notice was issued on 9 May 2023, with the Information Regulator citing negligence as the reason behind the DoJ’s systems being hacked in September 2021.

Following an investigation, departmental director-general advocate Doctor Mashabane discovered that the attackers got their hands on 1,204 files.

The Information Regulator confirmed that the following personal information may have been compromised:
- Names, addresses, identity numbers, and phone numbers of information officers
- Names, residential addresses, identity numbers, phone numbers, qualifications, bank accounts, and salaries of employees
- Names, addresses, and bank details of the service providers
Among other enforcement actions, the regulator ordered those accountable for the negligence to face disciplinary proceedings.

“Following the assessment, the Regulator found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment resulting in the loss of approximately 1,204 files,” it said.

“This occurred as a result of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled it to monitor unusual activity on their network and keep a backup of the log files.”

“The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020,” the regulator added.

Ronald Lamola, Minister of Justice and Correctional Services

It said that had the department renewed its SIEM licence on time, it would have been alerted to the malicious activity.

In light of the DoJ’s failure, the Information Regulator found the DoJ in contravention of sections 19 and 22 of the Protection of Personal Information Act.

In addition to the disciplinary action against the official or officials who failed to renew the relevant software licences, the regulator instructed the DoJ to submit proof within 31 days that the licences had been renewed.

“Should the DoJ fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offence,” it said.

On 3 July 2023, the Information Regulator issued an Infringement Notice to the DoJ, instructing it to pay a R5 million administrative fine after failing to provide proof of its licence renewals within 31 days.

“The thirty-one days given to the department expired on 9 June 2023,” the regulator said.

“To date, the department has not provided the Regulator with a report on the implementation of the actions required in the Enforcement Notice or any other communication in that regard.”

SOURCE:South Africa’s data leak and privacy watchdog cuts its teeth (mybroadband.co.za)
Author

Posts

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

South Africa’s Information Regulator is flexing its muscles, slapping its own government department and a major JSE-listed company with enforcement notices in the span of four months.

Dis-Chem received an enforcement notice in August 2023, while the Department of Justice (DoJ) received one in May. The DoJ failed to abide by the notice and was slapped with a hefty fine.

These came after South Africa’s justice department suffered a ransomware attack in September 2021, and Dis-Chem a data breach via a third-party vendor in May 2022.

Both attacks resulted in people’s personal details being exposed.

More recently, the Information Regulator — headed by chair Pansy Tlakula (pictured above) — issued Dis-Chem with an enforcement notice on 31 August 2023, instructing it to fix its security issues or face a R10 million fine.

The regulator explained that the data breach had occurred due to a simple brute-force attack sometime in April.

“A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found,” the regulator explained.

It found that the company hadn’t done enough to secure its customers’ private data.

Dis-Chem became aware of the data breach on 1 May 2022, when it was informed that an unauthorised party managed to access its customer database.

This exposed 3.6 million client records, including full names, email addresses, and cellphone numbers. It informed the Information Regulator of the incident on 5 May.

Dis-Chem has until 1 October 2023 to provide the Information Regulator with proof of its actions to secure client records.

The company strongly objected to the Information Regulator’s allegation that it didn’t notify people timeously or appropriately.

However, it confirmed that it will report to the regulator within 31 days as requested.

Before tackling Dis-Chem, the Information Regulator issued its very first enforcement notice against the Department of Justice — the same government department under which it falls.

The notice was issued on 9 May 2023, with the Information Regulator citing negligence as the reason behind the DoJ’s systems being hacked in September 2021.

Following an investigation, departmental director-general advocate Doctor Mashabane discovered that the attackers got their hands on 1,204 files.

The Information Regulator confirmed that the following personal information may have been compromised:

Names, addresses, identity numbers, and phone numbers of information officers

Names, residential addresses, identity numbers, phone numbers, qualifications, bank accounts, and salaries of employees

Names, addresses, and bank details of the service providers

Among other enforcement actions, the regulator ordered those accountable for the negligence to face disciplinary proceedings.

“Following the assessment, the Regulator found that the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment resulting in the loss of approximately 1,204 files,” it said.

“This occurred as a result of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled it to monitor unusual activity on their network and keep a backup of the log files.”

“The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020,” the regulator added.

Ronald Lamola, Minister of Justice and Correctional Services

It said that had the department renewed its SIEM licence on time, it would have been alerted to the malicious activity.

In light of the DoJ’s failure, the Information Regulator found the DoJ in contravention of sections 19 and 22 of the Protection of Personal Information Act.

In addition to the disciplinary action against the official or officials who failed to renew the relevant software licences, the regulator instructed the DoJ to submit proof within 31 days that the licences had been renewed.

“Should the DoJ fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offence,” it said.

On 3 July 2023, the Information Regulator issued an Infringement Notice to the DoJ, instructing it to pay a R5 million administrative fine after failing to provide proof of its licence renewals within 31 days.

“The thirty-one days given to the department expired on 9 June 2023,” the regulator said.

“To date, the department has not provided the Regulator with a report on the implementation of the actions required in the Enforcement Notice or any other communication in that regard.”

Quick Links

Points of Interest

Legal Info